Nuclear Safety

Safety Reports Series
N o. 8 6
Safety Aspects of Nuclear

Power Plants in Human
Induced External Events:
General Considerations
IAEA SAFETY STANDARDS AND RELATED PUBLICATIONS
IAEA SAFETY STANDARDS

Under the terms of Article III of its Statute, the IAEA is authorized to establish or adopt
standards of safety for protection of health and minimization of danger to life and property, and
to provide for the application of these standards.
The publications by means of which the IAEA establishes standards are issued in the
IAEA Safety Standards Series. This series covers nuclear safety, radiation safety, transport
safety and waste safety. The publication categories in the series are Safety Fundamentals,
Safety Requirements and Safety Guides.
Information on the IAEAs safety standards programme is available on the IAEA Internet
site
http://www-ns.iaea.org/standards/
The site provides the texts in English of published and draft safety standards. The texts
of safety standards issued in Arabic, Chinese, French, Russian and Spanish, the IAEA Safety
Glossary and a status report for safety standards under development are also available. For
further information, please contact the IAEA at: Vienna International Centre, PO Box 100,
1400 Vienna, Austria.
All users of IAEA safety standards are invited to inform the IAEA of experience in their
use (e.g. as a basis for national regulations, for safety reviews and for training courses) for the
purpose of ensuring that they continue to meet users needs. Information may be provided via
the IAEA Internet site or by post, as above, or by email to Ofcial.Mail@iaea.org.
RELATED PUBLICATIONS
The IAEA provides for the application of the standards and, under the terms of Articles III
and VIII.C of its Statute, makes available and fosters the exchange of information relating
to peaceful nuclear activities and serves as an intermediary among its Member States for this
purpose.
Reports on safety in nuclear activities are issued as Safety Reports, which provide
practical examples and detailed methods that can be used in support of the safety standards.
Other safety related IAEA publications are issued as Emergency Preparedness and
Response publications, Radiological Assessment Reports, the International Nuclear Safety
Groups INSAG Reports, Technical Reports and TECDOCs. The IAEA also issues reports
on radiological accidents, training manuals and practical manuals, and other special safety
related publications.
Security related publications are issued in the IAEA Nuclear Security Series.
The IAEA Nuclear Energy Series comprises informational publications to encourage
and assist research on, and the development and practical application of, nuclear energy for
peaceful purposes. It includes reports and guides on the status of and advances in technology,
and on experience, good practices and practical examples in the areas of nuclear power, the
nuclear fuel cycle, radioactive waste management and decommissioning.
SAFETY ASPECTS OF
NUCLEAR POWER PLANTS
IN HUMAN INDUCED
EXTERNAL EVENTS:
GENERAL CONSIDERATIONS
The following States are Members of the International Atomic Energy Agency:
AFGHANISTAN GEORGIA OMAN

ALBANIA GERMANY PAKISTAN
ALGERIA GHANA PALAU
ANGOLA GREECE PANAMA
ANTIGUA AND BARBUDA GUATEMALA PAPUA NEW GUINEA
ARGENTINA GUYANA PARAGUAY
ARMENIA HAITI PERU
AUSTRALIA HOLY SEE PHILIPPINES
AUSTRIA HONDURAS POLAND
AZERBAIJAN HUNGARY PORTUGAL
BAHAMAS ICELAND QATAR
BAHRAIN INDIA REPUBLIC OF MOLDOVA
BANGLADESH INDONESIA ROMANIA
BARBADOS IRAN, ISLAMIC REPUBLIC OF RUSSIAN FEDERATION
BELARUS IRAQ RWANDA
BELGIUM IRELAND SAN MARINO
BELIZE ISRAEL SAUDI ARABIA
BENIN ITALY SENEGAL
BOLIVIA, PLURINATIONAL JAMAICA SERBIA
STATE OF JAPAN SEYCHELLES
BOSNIA AND HERZEGOVINA JORDAN SIERRA LEONE
BOTSWANA KAZAKHSTAN SINGAPORE
BRAZIL KENYA SLOVAKIA
BRUNEI DARUSSALAM KOREA, REPUBLIC OF SLOVENIA
BULGARIA KUWAIT SOUTH AFRICA
BURKINA FASO KYRGYZSTAN SPAIN
BURUNDI LAO PEOPLES DEMOCRATIC SRI LANKA
CAMBODIA REPUBLIC SUDAN
CAMEROON LATVIA SWAZILAND
CANADA LEBANON SWEDEN
CENTRAL AFRICAN LESOTHO SWITZERLAND
REPUBLIC LIBERIA SYRIAN ARAB REPUBLIC
CHAD LIBYA TAJIKISTAN
CHILE LIECHTENSTEIN THAILAND
CHINA LITHUANIA THE FORMER YUGOSLAV
COLOMBIA LUXEMBOURG REPUBLIC OF MACEDONIA
CONGO MADAGASCAR TOGO
COSTA RICA MALAWI TRINIDAD AND TOBAGO
CTE DIVOIRE MALAYSIA TUNISIA
CROATIA MALI TURKEY
CUBA MALTA TURKMENISTAN
CYPRUS MARSHALL ISLANDS UGANDA
CZECH REPUBLIC MAURITANIA UKRAINE
DEMOCRATIC REPUBLIC MAURITIUS UNITED ARAB EMIRATES
OF THE CONGO MEXICO UNITED KINGDOM OF
DENMARK MONACO GREAT BRITAIN AND
DJIBOUTI MONGOLIA NORTHERN IRELAND
DOMINICA MONTENEGRO UNITED REPUBLIC
DOMINICAN REPUBLIC MOROCCO OF TANZANIA
ECUADOR MOZAMBIQUE UNITED STATES OF AMERICA
EGYPT MYANMAR URUGUAY
EL SALVADOR NAMIBIA UZBEKISTAN
ERITREA NEPAL VANUATU
ESTONIA NETHERLANDS VENEZUELA, BOLIVARIAN
ETHIOPIA NEW ZEALAND REPUBLIC OF
FIJI NICARAGUA VIET NAM
FINLAND NIGER YEMEN
FRANCE NIGERIA ZAMBIA
GABON NORWAY ZIMBABWE
The Agencys Statute was approved on 23 October 1956 by the Conference on the Statute of the
IAEA held at United Nations Headquarters, New York; it entered into force on 29 July 1957.
The Headquarters of the Agency are situated in Vienna. Its principal objective is to accelerate and enlarge
the contribution of atomic energy to peace, health and prosperity throughout the world.
SAFETY REPORTS SERIES No. 86
SAFETY ASPECTS OF
IN HUMAN INDUCED
EXTERNAL EVENTS:
GENERAL CONSIDERATIONS
INTERNATIONAL ATOMIC ENERGY AGENCY

VIENNA, 2017
COPYRIGHT NOTICE
All IAEA scientific and technical publications are protected by the terms of
the Universal Copyright Convention as adopted in 1952 (Berne) and as revised
in 1972 (Paris). The copyright has since been extended by the World Intellectual
Property Organization (Geneva) to include electronic and virtual intellectual
property. Permission to use whole or parts of texts contained in IAEA publications
in printed or electronic form must be obtained and is usually subject to royalty
agreements. Proposals for non-commercial reproductions and translations are
welcomed and considered on a case-by-case basis. Enquiries should be addressed
to the IAEA Publishing Section at:
Marketing and Sales Unit, Publishing Section

International Atomic Energy Agency
Vienna International Centre
PO Box 100
1400 Vienna, Austria
fax: +43 1 2600 29302
tel.: +43 1 2600 22417
email: sales.publications@iaea.org
http://www.iaea.org/books
IAEA, 2017
Printed by the IAEA in Austria

March 2017
STI/PUB/1721
IAEA Library Cataloguing in Publication Data

Names: International Atomic Energy Agency.
Title: Safety aspects of nuclear power plants in human induced external events :
general considerations / International Atomic Energy Agency.
Description: Vienna : International Atomic Energy Agency, 2017. | Series: IAEA
safety reports series, ISSN 10206450 ; no. 86 | Includes bibliographical
references.
Identifiers: IAEAL 16-01061 | ISBN 9789201110152 (paperback : alk. paper)
Subjects: LCSH: Nuclear power plants Safety measures. | Nuclear power plants
Design and construction. | Nuclear power plants Risk assessment.
Classification: UDC 621.039.58 | STI/PUB/1721
FOREWORD
Many human actions pose challenges to the safe operation of a nuclear

installation, such as a nuclear power plant. These challenges may arise from
activities human beings undertake as a part of routine life. The challenges arising
from intentional and accidental events need to be evaluated given the current
design robustness of the installation and the vulnerability of the location of such
events.
This publication is the first of three Safety Reports on the safety assessment
of nuclear facilities subjected to extreme human induced external events.
These publications address the assessment of nuclear installations subjected to
accidental or unintentional human actions. They provide the general framework
for approaches to obtaining the overall plant performance with regard to the
fundamental safety functions from the performance of individual components.
It includes safety assessments, the characterization and quantification of
loadings, and appropriate analysis techniques and material properties for capacity
assessments. This publication explores established methodologies in the light of
recent advances in the understanding of material behaviour under such extreme
loading conditions and computational techniques that can incorporate such
behaviour in the analytical modelling.
These three Safety Reports were developed using funding from Member
States voluntarily contributing to, and participating in, the extrabudgetary
programme of the External Events Safety Section (EESS-EBP). Established in
2007, the EESS-EBP has developed technical documents considered a priority
for Member States, given the current experience with severe external events
globally. The aim of the programme is to provide technical inputs to current and
future IAEA safety standards. The EESS-EBP implements these activities by
assimilating the latest technical issues and practical methodologies in Member
States, and disseminates the information through technical publications, sharing
them in the working groups, and by participating in global conferences and
forums.
The work of all the contributors to the drafting and review of this publication
is greatly appreciated. In particular, the IAEA gratefully acknowledges the
contributions of J.J.Johnson (United States of America) to the drafting of this
publication, and of A.Blahoianu and N.Orbovic (Canada) to its review. The
IAEA officers responsible for this publication were A.Altinyollar and F.Beltran
of the Division of Nuclear Installation Safety.
EDITORIAL NOTE
Although great care has been taken to maintain the accuracy of information contained
in this publication, neither the IAEA nor its Member States assume any responsibility for
consequences which may arise from its use.
This publication does not address questions of responsibility, legal or otherwise, for acts
or omissions on the part of any person.
Guidance provided here, describing good practices, represents expert opinion but does
not constitute recommendations made on the basis of a consensus of Member States.
The use of particular designations of countries or territories does not imply any
judgement by the publisher, the IAEA, as to the legal status of such countries or territories, of
their authorities and institutions or of the delimitation of their boundaries.
The mention of names of specific companies or products (whether or not indicated as
registered) does not imply any intention to infringe proprietary rights, nor should it be construed
as an endorsement or recommendation on the part of the IAEA.
The IAEA has no responsibility for the persistence or accuracy of URLs for external or
third party Internet web sites referred to in this publication and does not guarantee that any
content on such web sites is, or will remain, accurate or appropriate.
CONTENTS
1. INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1. Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2. Objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.3. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.4. Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.5. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2. ELEMENTS OF ENGINEERING SAFETY EVALUATIONS . . . . . 7
2.1. Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.2. Key elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2.1. Phase 1: Event identification . . . . . . . . . . . . . . . . . . . . . 8
2.2.2. Phase 2: Hazard evaluation and load
characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.2.3. Phase 3: Design and evaluation approaches to
structures, systems and components . . . . . . . . . . . . . . . . 20
2.2.4. Phase 4: Plant performance assessment and
acceptance criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.2.5. Phase 5: Operator response . . . . . . . . . . . . . . . . . . . . . . . 25
2.3. Design and evaluation principles . . . . . . . . . . . . . . . . . . . . . . . . 25
2.3.1. Event agnostic effects: Loading conditions . . . . . . . . . . 25
2.3.2. Defence in depth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.4. Input to nuclear power plant assessment . . . . . . . . . . . . . . . . . . 26
2.4.1. Plant performance criteria . . . . . . . . . . . . . . . . . . . . . . . . 26
2.4.2. Plant acceptance criteria . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.4.3. Operational status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.4.4. Consideration of multi-unit sites . . . . . . . . . . . . . . . . . . 28
2.4.5. Severe accident prevention and management . . . . . . . . . 28
2.5. Assessments of extreme plant conditions . . . . . . . . . . . . . . . . . . 30
2.6. Uncertainty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
3. EVENT IDENTIFICATION AND LOAD

CHARACTERIZATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.1. Screening of events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

3.1.1. Screening by design robustness . . . . . . . . . . . . . . . . . . . 32
3.1.2. Screening by distance and magnitude and
by probability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
3.1.3. Screening by zone of influence . . . . . . . . . . . . . . . . . . . . 34
3.1.4. Example of systematic approach to defining scope:
Aircraft crash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
3.1.5. Special topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
3.2. Event, hazard and load characterization . . . . . . . . . . . . . . . . . . . 41
3.2.1. Load evaluation for design extension external events . . 41
4. PLANT SPECIFIC EVALUATION . . . . . . . . . . . . . . . . . . . . . . . . . . 52
4.1. Defence in depth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

4.2. Success path and failure path . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
4.3. Selected equipment list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
4.4. Area dependent event evaluation . . . . . . . . . . . . . . . . . . . . . . . . 54
4.5. Performance of structures, systems and components . . . . . . . . . 55
4.5.1. Civil engineering structures . . . . . . . . . . . . . . . . . . . . . . 55
4.5.2. Mechanical and electrical equipment . . . . . . . . . . . . . . . 55
4.5.3. Piping, cabling, instrumentation and control,
and service lines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
4.6. Plant performance evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
4.6.1. Safe shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
4.6.2. Containment function . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
4.6.3. Spent fuel pool integrity and cooling . . . . . . . . . . . . . . . 58
4.6.4. Ultimate heat sink availability . . . . . . . . . . . . . . . . . . . . 58
4.7. Assessment of external plant conditions . . . . . . . . . . . . . . . . . . 59
4.8. Acceptance criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
4.9. Evaluation procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
5. DESIGN OF NEW PLANTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
5.1. Design process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

5.2. Human induced event: Agnostic design . . . . . . . . . . . . . . . . . . . 62
5.3. Redundancy, diversity and separation . . . . . . . . . . . . . . . . . . . . 64
5.4. Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
5.5. Design of structures, systems and components . . . . . . . . . . . . . 65
5.6. Design capacity of plant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
6. SAFETY EVALUATION OF EXISTING PLANTS . . . . . . . . . . . . . . 66

7. MANAGEMENT OF THE ASSESSMENT . . . . . . . . . . . . . . . . . . . . 66
REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
ANNEX: DEVELOPMENT OF THE EXTREME LOADING

DEFINITION MATRICES: THREE EXAMPLES . . . . . . . . . . . 71
ABBREVIATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
CONTRIBUTORS TO DRAFTING AND REVIEW . . . . . . . . . . . . . . . . . . 87
1. INTRODUCTION
1.1. BACKGROUND
IAEA Safety Standards Series No.SF-1, Fundamental Safety Principles[1],

establishes that the process of safety assessment of a nuclear installation needs
to be repeated periodically in whole or in part, as necessary in order to
take into account changed circumstances with respect to those considered for
the design. Following this principle, the IAEA initiated a major effort in 2001
targeted at the development of guidelines for the assessment of vulnerability
against accidental or postulated human induced external events not foreseen in
the design basis. Examples of accidental events include explosions caused by
pipeline failures, train crashes or hazardous material leaks from tanks. Examples
of postulated external events include station blackout and the loss of ultimate
heat sink due to unidentified causes.
The evaluation of the effects of accidental events on nuclear facilities can
be based on all of the tools for assessment, including screening by probability
of occurrence based on statistical evaluation of historical data. In the case of
postulated external events, screening by probability of occurrence is not a tool
available to the analyst, simply because the definition of the problem is such that
the facility is assumed to be in a hypothesized state (operating or shutdown),
without specification of how the facility reached this state. Consequently, the
evaluation is focused on addressing the hypothesized state rather than the cause.
There is general agreement among experts that the current practice for
nuclear facility design provides such a level of robustness that some external
events not explicitly considered at the design stage may be accommodated by the
nuclear facilities in their current configuration without significant radiological
consequences. This is believed to be true for nuclear facilities in general and for
nuclear power plants specifically. However, quantification is needed in order to
understand with a high level of confidence which events can be screened out in a
safety evaluation process and which events require a detailed assessment of the
actual plant level performance.
In this context, a series of three Safety Reports has been produced that
describe, generally and specifically, the approaches to addressing human
induced external events with a focus on nuclear power plants. The three reports
provide guidance to support the quantitative evaluation of the engineering safety
1
of facilities subjected to design basis external events and beyond design basis
external events. In addition to this Safety Report, they include:
(a) Safety Aspects of Nuclear Power Plants in Human Induced External Events:
Assessment of Structures, Safety Reports Series No.87[2];
(b) Safety Aspects of Nuclear Power Plants in Human Induced External Events:
Margin Assessment, Safety Reports Series No.88[3].
This publication is the first in the series. It provides the general framework
and includes a roadmap for performing the design and the evaluation of the
protection against human induced external events. This Safety Report concentrates
on an overall view of the methodology and on the important considerations for
its application to existing and new nuclear power plants. Topics covered include
elements of the design and evaluation approach, developed in five phases:
Phase 1: Event identification;

Phase 2: Hazard evaluation and load characterization;
Phase 3: Design and evaluation approaches to structures, systems and
components (SSCs);
Phase 4: Plant performance assessment and acceptance criteria;
Phase 5: Operator response.
The second report in the series addresses phases 2 and 3 of the general
framework. It provides detailed guidelines for the safety assessment of nuclear
power plant structures against mechanical impacts, explosions and fire hazards
caused by human induced external events. The report covers the characterization
of loading, the assessment of structural integrity using both simplified methods
and more elaborated methodologies, and the assessment of induced vibration.
Acceptance criteria are given in the report for different failure modes: overall
stability, overall bending and shear, local failure modes and induced vibrations.
In addition, since many of the human induced external events may result in a
fire, the process of analysing the fire consequences is also given. Approaches to
assessing the barrier fire performance and the fire performance of SSCs are also
given.
The third report in the series addresses phases 1 and 4 of the general
framework. The report describes the procedures for assessing the safety margins
of nuclear power plants against human induced external events. Both postulated
and accidental hazards are considered. The report focuses on plant and systems
performance evaluations. A tiered approach to margin assessment is provided.
The first tier consists of a deterministic procedure in which, for each scenario, the
2
existence of at least one undamaged success path1 to comply with the fundamental
safety function is investigated. This procedure can be extended to calculate
probability measures such as the conditional core damage probability and the
conditional probability of loss of spent fuel pool cooling and spent fuel damage,
given the scenario. In the most elaborated stage, probabilistic safety assessment
(PSA) techniques are introduced, giving consideration to the probabilistic aspects
of hazards and of SSC capacity (fragility). Event tree and fault tree models are
used to compute usual PSA metrics, such as core damage frequency, large early
release frequency, and frequency of loss of spent fuel pool cooling and spent fuel
damage.
In summary, these three publications in the Safety Reports Series provide
methodologies that can be used in the evaluation of SSC capacity of nuclear
power plants subjected to extreme human induced external events and in the
assessment of the resulting safety margin of the facilities. The three publications
may be useful to nuclear facility owners, operators and regulators who need
an understanding of the safety issues in relation to human induced events.
They contain descriptions of internationally accepted methods applied by the
engineering community and some examples that may be useful in the evaluation
of the need for plant upgrading. Many references are also provided for more
detailed guidance, and the publications rely on many IAEA safety standards and
relevant technical publications.
The three Safety Reports have a common thread and are closely related
to each other. Together, they provide an approach to the assessment against
extreme human induced external events fully consistent with the methods used
for evaluation of nuclear facilities subjected to extreme natural events, such as
earthquakes and floods.
1.2. OBJECTIVE
The objective of this Safety Report is to provide the framework of methods

to be implemented for the design and evaluation of nuclear facilities subjected
to extreme human induced external events. This framework addresses the
performance of the overall facility, and individual SSCs, from the standpoint of
complying with the fundamental safety functions.
1
A success path is a set of systems and associated components that can be used to
bring the plant to a stable hot or cold shutdown condition and to maintain this condition for a
specified period of time.
3
1.3. SCOPE
This Safety Report concentrates on the development of a methodology and

highlights considerations for its application to existing and new nuclear power
plants. The methodology, although directly applicable to nuclear power plants,
can easily be extended to other nuclear and non-nuclear facilities with complex
processes (e.g. fuel processing and reprocessing facilities, and research reactors)
with suitable grading based on the potential radioactive releases. The external
events considered are limited to human induced events of accidental origin and
exclude events that may be the result of malevolent action. Guidance provided
here, describing good practices, represents expert opinion but does not constitute
recommendations made on the basis of a consensus of Member States.
1.4. STRUCTURE
Section 2 provides an overview of the approach to engineering safety design

and assessment against human induced external events. The section describes the
key phases of the overall approach. It also includes general considerations about
design and assessment principles and uncertainties. Section3 is dedicated to the
first phases of the methodology; namely, the external event identification and the
definition of the loads to be considered in the assessment against each identified
event. Section4 is devoted to the plant specific evaluations. It describes in greater
detail the approaches to addressing human induced external events taking into
account the robustness of typical nuclear power plant designs, and it introduces
the processes of PSA and safety margin assessment (SMA) to such assessments.
It covers the selection of SSCs important for safety, the capacity evaluation
procedures and the assessment of performance of fundamental safety functions.
The section also includes examples of acceptance criteria. Section 5 presents
considerations for the design of new nuclear power plants, including the selection
of the design basis events and the basic design principles against extreme external
events. Section6 briefly explains the differences between evaluations for existing
and for new installations. Finally, Section7 addresses management of the efforts
for the assessment.
As a supplement to Section 3, the Annex provides three examples to
illustrate the preparation and use of the extreme loading definition matrices
corresponding to human induced external events.
4
1.5. DEFINITIONS
Event
Any occurrence that is unintended by the operator of the nuclear facility,

the consequences or potential consequences of which are not negligible from the
point of view of safety.
Human induced external event
An event that is unconnected with the operation of the nuclear facility. In

this publication, human induced external events are defined by loading conditions
to be evaluated or to be taken into account in the design. Examples treated in
Ref.[2] include aircraft crashes, explosions and large fires.
Design basis external event
An external event explicitly taken into account in the design of a facility,

according to established criteria, such that the facility can withstand without
exceeding authorized limits by the planned operation of safety systems or
structures.
Beyond design basis external event
An external event that is more severe than a design basis external event
(DBEE). The term refers to external events either not included as a design basis
or included with a lower degree of severity.
Design extension external event
An external event that is not considered as a DBEE, but that is considered in

the design process of the facility in accordance with best estimate methodology,
and for which releases of radioactive material are kept within acceptable limits.
Hence, a design extension external event (DEE) refers to a rare and severe
external event that is considered in the design process using realistic, rather than
conservative, assumptions and acceptance criteria (see Fig.1).
Loading conditions
Loading conditions for each external event are defined probabilistically or

deterministically by the Member State. Tiered loading conditions are adopted
5
in Refs[2,3]. These multiple loading conditions are denoted as follows: DBEE,
DEE1 and DEE2. Increased magnitudes of loads are defined for DBEE, DEE1
and DEE2. Design extension conditions are events to be used in the design or
evaluation process that correspond to rare and severe external events. Design
processes of most existing facilities do not consider design extension conditions
(see Fig.1).
Increasing Event Severity
Beyond design basis external event
External events either not included as a general design basis or included

with a lower degree of severity
General design basis

Design extension external event (DEE) Events eliminated
external event (DBEE)
from consideration
Rare and severe external events
Events that are explicitly
taken into account in the Events considered in the design or evaluation
design and associated design process using realistic, rather than conservative,
basis analyses, according to assumptions and acceptance criteria
established criteria
FIG.1. Classification of external events from the point of view of design requirements.
Performance criteria
A defined function that the plant and SSCs is required to perform when
subjected to the events (especially important for design extension events).
Examples of performance criteria for DBEE are the design criteria (e.g. for
structures essentially elastic behaviour). Examples DEE1 include system
redundancy, reduced functionality (but adequate for cold shutdown), and structure
integrity and leaktightness. Examples for DEE2 include reduced functionality
(but adequate for structure integrity) and cold shutdown. System redundancy is
not required.
Acceptance criteria
Criteria that the plant and SSCs are required to satisfy when subjected to the
events in order to show that the performance criteria are met. They may be design
criteria or less conservative criteria. They may be success paths (multiple success
paths or a single success path, depending on the loading condition). They may
6
be PSA metrics, such as conditional probability of failure of the nuclear power
plant or of specific SSCs. They may be based on best estimate procedures and
parameter values or on conservatively biased values. Tiered acceptance criteria
corresponding to the tiered loading conditions are adopted in Refs[2,3].
Structures, systems and components margin
A generic term defining the relative or absolute measure of a key

performance parameter compared to acceptance criteria. For instance, design
margin is the relationship between SSC state and the design allowable state;
high confidence of low probability of failure margin is the 95% confidence of
not exceeding a 5% probability of failure of the SSC state compared to a load
descriptor; median failure margin is the best estimate of margin (50% probability
of failure compared to a load descriptor).
Plant margin
In the context of Ref.[3], the level of a hazard, generally beyond the

design basis, that compromises the safety of the plant according to a specified
metric, such as plant high confidence of low probability of failure margin and
plant median margin. Here, the compromising of safety means that the plant is
rendered incapable of achieving safety objectives under the impact of the hazard.
2. ELEMENTS OF ENGINEERING SAFETY

EVALUATIONS
2.1. ASSUMPTIONS
For the design or evaluation of nuclear facilities subjected to extreme

human induced external events, a series of assumptions needs to be made on the
basis of which the evaluation or design is performed. The assumptions are to be
agreed with the regulatory authority, and examples include:
(a) Loss of off-site power: This may occur owing to failure of on-site or off-site
physical elements, such as switchyard (on-site) or grid infrastructure (most
likely transmission towers, although substations and power generation plants
could also be vulnerable). The hypothesized event (e.g. an aircraft crash)
7
may easily affect on-site elements, such as the switchyard, and still possess
energy to impact buildings and structures.
(b) Plant state when event occurs: The external event can take place, for
example, at full power and normal state, during hot shutdown due to
advance warning of extreme human induced event occurring imminently,
and at shutdown condition during refuelling outage.
(c) Time before aid from outside the plant boundary can arrive.
2.2. KEY ELEMENTS
As introduced in Section1.1, the engineering safety evaluation process is

composed of five phases:
Phase 1: Event identification;

Phase 2: Hazard evaluation and load characterization;
Phase 3: Design and evaluation approaches to SSCs;
Phase 4: Plant performance assessment and acceptance criteria;
Phase 5: Operator response.
2.2.1. Phase 1: Event identification
Phase 1 is the first and highest level of screening implemented in the

process. In this phase, human induced external events with the potential to
cause unacceptable consequences are identified for further evaluation. IAEA
Safety Standards Series No. NS-R-3(Rev.1), Site Evaluation for Nuclear
Installations[4], identifies aircraft crashes and associated phenomena (impacts,
fires and explosions), other explosions, fire and hazardous material releases as
human induced events to consider.
IAEA Safety Standards Series No. NS-G-3.1, Human Induced External
Events in Site Evaluation for Nuclear Power Plants[5], supports the requirements
in NS-R-3(Rev.1)[4]. Tables13 are reproduced from NS-G-3.1[5], linking
potential sources of human induced events to potential initiating events, to
event development and to impact on the nuclear power plant (or other nuclear
installation). Table1 categorizes sources of events as stationary or mobile and
identifies potential initiating events (also called hazards). Table2 lists potential
evolution of the events into specific loading conditions on the installation. Table3
expands on the loading conditions on the installation and their consequences,
indicating the parameters that can be used to assess the impact on the SSCs of
the facility.
8
TABLE 1. IDENTIFICATION OF SOURCES AND ASSOCIATED
INITIATING EVENTS (cont.)
Facilities and transport Relevant features of

Initiating event
systems to be investigated the facilities and traffic
Stationary sources
Oil refinery, chemical plant, Quantity and nature of Explosion

storage depot, broadcasting substances Fire
network, mining or Flow sheet of process Release of flammable,
quarrying operations, forests, involving hazardous explosive, asphyxiant,
other nuclear facilities, high materials corrosive, toxic or
energy rotating equipment
Meteorological and radioactive substances
topographical characteristics Ground collapse, subsidence
of the region
Projectiles
Existing protective measures
Electromagnetic interference
in the installation
Eddy currents into the ground
Military facilities Types of activities Projectile generation

(permanent and temporary) Quantities of hazardous Explosion
materials Fire
Features of hazardous Release of flammable,
activities explosive, asphyxiant,
corrosive, toxic or
radioactive substances
Mobile sources
Railway trains and wagons, Passage routes and Explosion

road vehicles, ships, barges, frequency of passage Fire
pipelines Type and quantity of Release of flammable,
hazardous material associated explosive, asphyxiant,
with each movement corrosive, toxic or
Layout of pipelines radioactive substances
including pumping stations, Blockage, contamination
isolation valves (such as from an oil spill)
Characteristics of the or damage to cooling water
vehicle (including intake structures
protective measures) Impacts of derailed vehicles
Meteorological and
topographical characteristics
of the region
9
TABLE 1. IDENTIFICATION OF SOURCES AND ASSOCIATED
INITIATING EVENTS (cont.)
Facilities and transport Relevant features of

Initiating event
systems to be investigated the facilities and traffic
Mobile sources
Airport zone Aircraft movements and Abnormal flights leading to

flight frequencies crashes
Runway characteristics
Types and characteristics of
aircraft
Air traffic corridors and Flight frequencies Abnormal flights leading to

flight zones Types and characteristics of crashes
(military and civil) aircraft
Characteristics of air traffic
corridors
Source: Table I of NS-G-3.1[5].
TABLE2. EVOLUTION OF EVENTS AND IMPACT ON THE NUCLEAR

POWER PLANT (cont.)
Possible impact of each

Initiating event Development of event
event on the planta
Explosion Explosion pressure wave (1) (2) (3) (4) (5) (6) (7)
(deflagration, detonation) Projectiles
Smoke, gas and dust
produced in the explosion
can drift towards the plant
Associated flames and fires
Fire (external) Sparks can ignite other fires (3) (4) (5) (6)
Smoke and combustion gas
of fire can drift towards the
plant
Heat (thermal flux)
10
TABLE2. EVOLUTION OF EVENTS AND IMPACT ON THE NUCLEAR
POWER PLANT (cont.)
Possible impact of each

Initiating event Development of event
event on the planta
Release of flammable, Clouds or liquids can (1) (2) (3) (4) (5) (6)
explosive, asphyxiant, drift towards the plant and
corrosive, toxic or burn or explode before or
radioactive substances after reaching it, outside or
inside the plant
Clouds or liquids can also
migrate into areas where
operators or safety related
equipment can be prevented
from functioning
Aircraft crashes or abnormal Projectiles (1) (2) (3) (4) (5) (6)
flights leading to crashes, Fire
collision of planes,
Explosion of fuel tanks
projectiles
Vehicle impacts
Ground collapse Ground collapse (7) (8) (9)

Interference with cooling
water systems
Blockage or damage Interference with cooling (12)

to cooling water intake water systems
structures
Electromagnetic interference Electromagnetic fields (10)

around electrical equipment
Eddy currents into ground Electric potential into (11)

ground
Source: Table II of NS-G-3.1[5].

a
See Table 3 for an explanation of the numerals.
11
TABLE
3. IMPACT ON THE NUCLEAR POWER PLANT AND
CONSEQUENCES (cont.)
Impact on the plant Parameters Consequences of impact
(1) Pressure wave Local overpressure at Collapse of parts of structure or
the plant as a function disruption of systems and components
of time
(2) Projectile Mass Penetration, perforation or spalling
Velocity of structures or disruption of systems
and components
Shape
Collapse of parts of structure or
Size
disruption of systems and components
Type of material
Vibration induced false signals in
Structural features equipment
Impact angle
(3) Heat Maximum heat flux and Impaired habitability of control room
duration Disruption of systems or components
Ignition of combustibles
(4) Smoke and dust Composition Blockage of intake filters
Concentration and Impaired habitability of control room
quantity as a function and other important plant rooms and
of time affected areas
(5) Asphyxiant and Concentration and Threat to human life and health and
toxic substances quantity as a impaired habitability of safety related
function of time areas
Toxicity and asphyxiant Prevention of fulfilment of safety
limits functions by operators
(6) Corrosive and Concentration and Threat to human life and health and
radioactive quantity as a function impaired habitability of safety related
liquids, gases and of time areas
aerosols Corrosive, radioactive Corrosion and disruption of systems
limits or components
Provenance (sea, land) Prevention of fulfilment of safety
functions
(7) Ground shaking Response spectrum Mechanical damage
(8) Flooding Level of water with time Damage to structures, systems and
(or drought) Velocity of impacting components
water
(9) Subsidence Settlement, differential Collapse of structures or disruption of
displacement, settlement systems and components, including
rate buried pipes, cables
12
TABLE
3. IMPACT ON THE NUCLEAR POWER PLANT AND
CONSEQUENCES (cont.)
Impact on the plant Parameters Consequences of impact
(10) Electromagnetic Frequency band and False signals on electric equipment
interference energy
(11) Eddy currents Intensity and duration Corrosion of underground metal
into ground components
Grounding problems
(12) Damage to water Mass of the ship, impact Unavailability of cooling water
intake velocity and area, degree
of blockage
Source: Table III of NS-G-3.1[5].
Phase 1 comprises three steps: general assessment of potential events,

consequence evaluation, and screening and categorization of events. These steps
are described in the following subsections.
2.2.1.1. Step 1: Event assessment
Event assessment means a complete identification and evaluation

of previously and newly defined events, categorizing them for inclusion
in the evaluation. An event assessment comprises: (i) identification of the
event; (ii) definition of the loading conditions associated with the event; and
(iii) selection of the evaluation process (including methodologies of evaluation
and parameters to be considered), consequence identification and acceptance
criteria.
Comprehensive and well organized human induced event assessment
programmes need to be conducted by the operator of the nuclear power plant and
reviewed, as appropriate, by national, state and local government organizations,
as these organizations are the source of much of the information on the hazards
evaluated.
2.2.1.2. Step 2: Consequence evaluation
In this step, the Member State identifies the consequences of interest to

determine the events to be taken into account. Typical considerations include:
(a) Safety of the public: To control the radiation exposure to people during
operational and accidental states, which is the overarching metric, with
13
intermediate metrics such as:
Core damage frequency;
Containment and containment systems failure;
Large early release frequency;
Release of radioactive material to the environment (dispersion in air,
water and ground);
Collateral effects (e.g. explosions and release of hazardous materials).
(b) Environmental consequences: Short, medium and long term effects on the
environment (air, water and ground).
(c) Safety of plant personnel: Short, medium and long term health and welfare
of plant personnel.
(d) Energy security of the Member State: The need for the power generated by
the nuclear power plant for Member State welfare.
(e) Economic considerations: Short, medium and long term effects on the
Member State economy.
2.2.1.3. Step 3: Screening and categorization of events
This step is the decision process, in which the Member State screens and
categorizes the identified events from Step 1, and applies the consequence criteria
from Step 2 to define the events to be considered for the nuclear power plant of
interest. Categories include:
(a) Not to be considered: This includes those events that are not applicable
owing to reasons such as:
Physical conditions of the nuclear power plant of interest (e.g. an event
defined by a barge carrying large quantities of chlorine, which could be
accidently released, but with no navigable water near the nuclear power
plant);
Events that remain the responsibility of the Member State to ensure no
impact on the nuclear power plant (e.g. a state owned dam whose water
should be systematically released to prevent overtopping or dam failure
under extreme flooding conditions).
(b) DBEEs: Generally, these are events considered in the design.
(c) DEEs: These are rare and extreme events for which realistic, rather than
conservative assumptions and acceptance criteria, can be used. They are the
principal subject of the design and evaluation process and methodology of
Refs[2,3]. In existing plants, these events were generally not considered
in the design.
14
2.2.1.4. Phase 1 end products
Phase 1 end products are:
(a) A comprehensive list of identified human induced events that may be

applicable to the nuclear power plant (Step1);
(b) Documentation of the Member State defined consequence criteria, which
will be the basis for screening in, or out, human induced external events
(Step2);
(c) The disposition of the identified human induced events into three bins
(Step 3).
DBEEs and DEEs are not to be considered.
2.2.2. Phase 2: Hazard evaluation and load characterization
The result of Phase 1 is the list of DBEEs and DEEs and their specification
as input to Phase 2. In Phase2, the list is refined by more detailed assessment of
the range of potential events for their applicability to the specific nuclear power
plant (or other nuclear installation) under design or assessment.
In Phase 2, a second level of screening based on-site and nuclear power
plant specific characteristics is implemented. Typical screening parameters to be
applied in this phase are probability, magnitude and distance of event specifics,
and on-site characteristics (e.g. design conditions and zones of influence). These
screening parameters are discussed in Section3.1. An additional consideration is
the type and number of co-located facilities on the site (see Section3.1.5.1).
The screened-in human induced external events are further evaluated and
loading functions are defined for the engineering evaluation. Additional screening
may be performed at this stage. The result is a final list of events to be considered
in the evaluation.
The load characterization is the link between the events and the definition
of the loading environment for the plant engineering organization to evaluate.
The resulting matrix of loading conditions produced by the events is to be applied
to the entire facility or to portions of it (see Table4).
Tables 57 expand on Scenario 1 in Table 4 (aircraft impact event) to
identify the following parameters for engineering evaluation: impact, heat/fire
and vibration. Reference[2] describes the engineering evaluation process in
detail. These matrices, with their backup data, define the engineering loading
environments.
15
16
TABLE 4. EXTREME ENVIRONMENT MATRIX
PHYSICAL LOADING CONDITIONS
Hazardous
Scenario No. Scenario description Impact Blast Heat/fire Smothering Flooding Other
materials release
Crash of a large passenger

aircraft with a fully 1, 2, 3 1, 2
1 No No No No No
fuelled fuselage into a (Table 5) (Table 6)
nuclear power plant
1
2 Chlorine release No No No No No No
(Table A6)
1 3, 4 2, 3
3 Blast pipeline No No No Debris
(Table A10) (Table A8) (Table A9)
Note: Numbers under the physical loading conditions columns are explained in the specific table in parentheses. This example is explored in greater
detail in the Annex.
TABLE 5. IMPACT PARAMETER DEFINITION MATRIX: SCENARIO 1 (AIRCRAFT IMPACT)
MISSILE IMPACT ANCILLARY EFFECTS
Impact
Impact Relative
Missile No. Description Mass (kg) Shape/configuration velocity Fire Explosion Vibration Other
angle hardness
(m/s)
Crash of a large
passenger aircraft
with a fully fuelled Fuselage 310 to 1, 2, 3
1 396 900 110 Flexible No No No
fuselage into a 40 m2/52 m2 horizontal (Table 7)
nuclear power
plant
Large passenger
Circular body 310 to
2 aircraft engines 4 300 110 Semi-rigid No No No No
2.7 m fan diameter horizontal
as projectiles
310 to
3 Debris 5 000 Rigid body 110 Rigid No No No No
horizontal
17
18
TABLE 6. HEAT/FIRE PARAMETER DEFINITION MATRIX: SCENARIO 1 (AIRCRAFT IMPACT)
FIRE SOURCE OUTSIDE FACILITY COMBUSTIBLES INSIDE FACILITY
Heat
Burn Burn
Combustible/ Quantity Spreading potential/ Building/ Quantity Ignition
Fire No. Description duration Type duration
ignition (L) surface temp. yard (L) likelihood
(h) (h)
(C)
Jet fuel fire

Inside
from a large Half surface of
1 Yes 216 000 1 200 <1 outer 1 500 Kerosene Yes 1.5
passenger outer shell
shell
aircraft
Horizontal
crash of
a large
passenger
aircraft,
2 with a fully Yes 216 000 60 m 500 m 1 200 18 No No Kerosene No No
fuelled
fuselage, on
the yard of
a nuclear
power plant
TABLE 7. VIBRATION PARAMETER DEFINITION MATRIX: SCENARIO 1 (AIRCRAFT IMPACT)
LOADING FUNCTIONS
Loading function time histories

Vibration loading Load application
Location (elevation)
condition No. (building)
Rigid target Flexible target Flexible/non-linear target
1 Reactor building All No No Yes
Emergency cooling
2 All No No Yes
water building
Diesel generator
3 All No Yes No
building
19
(a) A potentially reduced set of screened-in human induced external events for
detailed evaluation;
(b) The engineering loading conditions to be considered for each of the
screened-in events to be evaluated.
2.2.3. Phase 3: Design and evaluation approaches to structures, systems

and components
Phase 3 broadly covers many topics applicable to the evaluation of existing

nuclear power plants and new designs. Phase 3 is where the majority of the
engineering studies are performed.
Systems modelling is treated in detail in Ref.[3]. There are several possible

approaches as a function of the characteristics of the screened-in events:
Demonstrating that design loading conditions and/or the design robustness

encompass the loading conditions of the screened-in event (discussed in
Section3);
Probabilistic safety assessment (PSA), detailed or simplified, discussed in
detail in Ref.[3];
Safety margin assessment (SMA), discussed in detail in Ref.[3].
PSAs are composed of the following elements:
(a) Hazard analysis leading to initiating events: The human induced external
events are the result of the hazards, which materialize in initiating events.
Each of the events may directly, or indirectly, generate event sequences
within the plant that have the potential to lead to core damage, containment
failure and radioactive material release. For DEEs, in the order of two to
ten initiating events may be identified for evaluation.
(b) Plant response: Two aspects of plant response are of interest plant system
behaviour and the behaviour of SSCs to the imposed loading conditions for
the events. Plant systems are typically modelled by a combination of event
trees and fault trees. The event (e.g. an aircraft crash) is the initiator of
the accident sequences. Plant accident sequences are initiated by a faulted
condition, such as a loss of coolant accident, and are modelled by event
trees. The ability of the plant systems to mitigate the consequences of the
20
faulted condition depends on the degradation or failure of those safety
systems. For example, assuming a coincidental loss of off-site power, an
aircraft crash causes a loss of coolant accident, and the tertiary effect of
the aircraft crash is a fire in the yard that damages the emergency power
system.
(c) Fragility analysis: The analysis is performed on fragility functions of SSCs
subjected to the DEE loadings of the event. Fragility is defined as the
probability of failure as a function of the size of the input load. Generally,
the fragility function is in terms of a single load parameter. This single
parameter could integrate a number of factors into the single parameter;
for example, for an aircraft crash, variability associated with impact
parameters, such as velocity, angle and location of impact, and physical
characteristics, such as the mass of the aircraft, could be integrated into
a resulting single parameter. Alternatively, a multivariate fragility analysis
could be performed, but this is not typically used in nuclear facility PSA
methodology. For simplified evaluations, fragility functions for SSCs may
be assumed to be binary (i.e. zero or one), leading to screening of SSCs
based on the location relative to the damage footprint, or zone of influence.
(d) Accident sequence and systems analysis: In the majority of PSA
applications for internal and external events, event trees are developed to
model accident sequences and fault trees are developed to model failures
of elements within the event trees, such as systems and structures. For the
current applications of PSA modelling of human induced events, existing
systems models for internal and external initiators provide a valuable
starting point. Modifications to these systems models are required to include
failures normally not considered credible for previously modelled hazards.
One example is underground cable chases, which may be assumed to be
robust against internal events and external events, such as earthquakes,
wind storms and floods. However, a jet fuel fire in the yard may seep into
the cable chase and cause failure. Hence, for specific events, previously
screened out components need to be revisited for potential inclusion.
(e) Plant damage state: Accident sequences lead to core damage or core melt
end points to which containment performance trees need to be added. The
analyst needs to recognize that containment performance may be directly,
or indirectly, affected by the loading conditions of the containment systems.
(f) Containment assessment: Containment performance criteria vary among
Member States. In some Member States, containment damage and failure
may be allowed if core damage failure does not occur. In addition, emergency
management equipment as specified in emergency management equipment
guidance (EMEG) and diverse and flexible coping strategies (FLEX) are
important elements in containment performance achievement[6,7].
21
(g) Off-site release: Off-site release may or may not be considered depending
on the risk acceptance criteria.
In using the plant specific PSA approach, each event is in theory modelled
by a set of event trees and fault trees similar in structure but with significant
differences in loading conditions and consequently plant failure probabilities.
To improve efficiencies of the analyses, the enveloping of loading conditions
needs to be considered to the extent possible, assuming this does not cause
excessively conservative results.
Many nuclear installations, in particular nuclear power plants, have
developed a plant specific PSA. These studies typically model internal events
and, in some cases, external events, such as earthquakes, fire, flooding and
high wind loads, including tornadoes. The plant specific PSA can be adapted to
perform an in depth safety analysis for extreme human induced external events.
The adaptation of the PSA for this analysis has some advantages, including:
The existing plant logic models are available, can be adapted and used, and
these models are the most accurate description of plant behaviour.
End metrics consistent with high level acceptance criteria can be modified
and used (e.g. core damage frequency and large release frequency can be
calculated).
Relative risk ranking of events can be made.
Risk ranking of overall effectiveness of existing and proposed SSCs is
possible.
Effects of human error and unavailability of systems can be included.
On the other hand, the PSA approach also has some disadvantages. Unless
a very simplified PSA approach is used, such as a simplified event tree method, it
is only cost effective to use the PSA approach if an internal events PSA has been
performed. It is preferable that both internal events and external events, such as
earthquakes, high winds, floods or fire, are modelled using PSA techniques. Then,
it is only necessary to modify the systems models to include those basic events
that were screened out for previous studies but are potentially relevant to the
human induced external events. In addition, fragility functions are required for a
large number of components, depending on the detail of the systems models and
the number of events. The total number of SSCs may require significant effort
even after grouping and screening components according to similar behaviour
and capacities. Furthermore, specialized expertise is required of the engineering
team that develops these fragility functions.
22
Another possibility is the SMA. In general, the SMA procedure comprises
the following elements:
(1) Input given by the extreme environment definition matrices (see Tables 47).
(2) Definition of overall nuclear facility performance criteria when subjected
to the extreme external events: For example, for a nuclear power plant
subjected to a DEE, the overall performance criteria may be defined as hot
or cold shutdown for 24hours after the event occurs. A further assumption
is that additional aid from outside the plant boundary can be effectively
mobilized within the 24 hour period. The performance criteria, including
the duration of plant shutdown before aid from outside the plant can be
mobilized, need to be established.
(3) Assumptions for the engineering evaluations: For example, loss of off-site
power conditions, operating state of facility (full or partial operation),
system criteria (redundancy) or SSC capacity criteria (code based or less
conservative).
(4) Definition of one or more ways to achieve safe shutdown or success paths.
(5) Identification of SSCs that comprise the safe shutdown paths and are
required to function during and after the event, given the aforementioned
assumptions: Definition of the specific functions these SSCs need to
perform during and after the event. The SSCs are itemized on the selected
equipment list (SEL).
(6) Evaluation of SSC capacity (items on the SEL) when subjected to the
extreme loading conditions specified: For the SMA, the measure of
capacity needs to be established when subjected to the specified loading
conditions (e.g. the high confidence of low probability of failure, median
centred capacity or other criteria). This step entails in-office and in-plant
evaluations. The in-plant evaluations are the plant walkdowns.
(7) Definition of a measure of plant capacity, such as the size of the event, for
which there is best estimate likelihood that the nuclear power plant will
achieve hot or cold shutdown (or other end metrics): The plant end state is
compared with the acceptance criteria.
(a) Execution of assessments according to the agreed upon methodologies for

human induced external events (i.e. the demonstration of design robustness,
PSA or SMA);
23
(b) Results of the assessments for comparison with acceptance criteria;
(c) Sensitivity study results, if performed.
2.2.4. Phase 4: Plant performance assessment and acceptance criteria
Acceptance criteria are in the form of end metrics that may be risk oriented,
for example core damage frequency (conditioned on a human induced external
event occurring), or may be in the form of capacity values, such as best estimate
or high confidence that the nuclear power plant reaches cold shutdown when
subjected to the event (e.g. the impact of a specified aircraft). Other important
items are spent fuel pool structural integrity and cooling.
The concept of a tiered approach to defining acceptance criteria is
introduced. For example, the consequences of less severe events on the nuclear
power plant of interest need to meet more stringent acceptance criteria than those
of the most severe events. For less severe events, requirements include redundant
success paths to arrive at safe shutdown and conservatism in defining both
the environmental loading functions and the performance criteria of SSCs
essentially elastic material behaviour for structures, components, equipment and
distribution systems. For the most severe events, verifying a single success path
to safe shutdown using realistic analyses may be acceptable. Table 8 presents
an example following this concept. Reference[2] follows this approach when
discussing structural capacity acceptance criteria.
The information in Table 8 highlights the importance of defining
the required civil structure functional behaviour when subjected to human
induced external events. Typically, civil structure functional requirements
range from leaktightness (e.g. containment) to providing structural support
of systems, equipment, components and distribution systems important to
safety (e.g. anchorage), to providing barriers to protect SSCs important to
safety (e.g. fire barriers and explosive protection walls). It is the civil structure
function that requires design and evaluation. The performance assessment results
are compared with acceptance criteria and on this basis the vulnerabilities are
identified.
Phase 4 end products are, as a function of the event, plant performance

assessment and identified vulnerabilities for the nuclear power plant subjected to
DBEEs and DEEs.
24
TABLE8. PLANT ACCEPTANCE CRITERIA: EXAMPLE
No. of No. of
Capacity
Event level Civil structure Safety functions shutdown decay heat
assessment
paths removal paths
DBEE Essentially Safe shutdown Multiple Multiple Conservative

elastic Decay heat
removal
Containment
DEE 1 Plastic Safe shutdown 2 2 Best estimate

Decay heat (median)
removal
Containment
DEE 2 Plastic Safe shutdown 1 1 Best estimate

Decay heat (median)
removal
Note: DEE design extension external event; DBEE design basis external event.
2.2.5. Phase 5: Operator response
Given the results of Phase 4, the operator may take additional steps to
address the identified vulnerabilities. These steps include prioritization and
implementation of the compensatory and/or upgrading measures (e.g. design
changes, operating procedure changes and administrative measures).
2.3. DESIGN AND EVALUATION PRINCIPLES
2.3.1. Event agnostic effects: Loading conditions
A philosophy of design and evaluation consisting of defining a set of event

agnostic loading conditions and treating those as generally enveloping anticipated
future defined human induced external events is prudent (see Section5.2).
25
2.3.2. Defence in depth
The most general approach to the design and evaluation of nuclear power
plants subjected to human induced external events is the utilization of the concept
of defence in depth in the safety domain[1,8]. The layers of defence in depth may
be intrinsic or extrinsic, on-site or off-site. Furthermore, some layers of defence
in depth will be related to prevention of the event and others to mitigation when,
for example, core damage is considered the metric. Section4 presents the basic
concepts of defence in depth when applied to the assessment of safety against
human induced external events.
2.4. INPUT TO NUCLEAR POWER PLANT ASSESSMENT
In accordance with the phases defined in Section2.2, the following aspects

are to be stipulated by the Member State as input to the safety evaluation against
human induced external events.
2.4.1. Plant performance criteria
Plant performance criteria may be defined in one or more of the following:
(a) High level requirements, such as core damage frequency or large early
release frequency, lower than threshold values. Methods of demonstration
to be specified.
(b) Plant safe state achieved: hot or cold shutdown and cooling over a required
time period (e.g. 24 or 72hours).
(c) High confidence of survival of specified SSCs, such as containment
structure and containment systems, spent fuel pool and spent fuel pool
support functions.
2.4.2. Plant acceptance criteria
Acceptance criteria are innately tied to plant performance criteria, as

follows (see also Table8):
(a) Risk metrics are in terms of frequencies of occurrence per annum, and the
acceptance criteria may be a fraction of the required core damage frequency
or large early release frequency specified in the Member State.
26
(b) Plant safe states may be ensured through the identification of success paths
to arrive at hot or cold shutdown. One can envision the Member State
(or the operator) requiring:
(i) Conservatism in design or evaluation for less severe scenarios, such
as requiring redundancy in success paths and conservatism in the
evaluation processes, thereby ensuring with high confidence that hot
or cold shutdown is achieved and future restart of the nuclear power
plant is likely;
(ii) For extreme DEEs, liberalized acceptance criteria may be permitted
with one shutdown path ensured, SSC acceptance criteria liberalized,
best estimate or median centred evaluations permitted, among other
things.
Plant acceptance criteria are then defined by the Member State as[9]:
DBEE: All safety system functions and capabilities continue to be available

for DBEEs. The design provides for the ongoing availability of fundamental
safety functions during DEEs. These provisions will depend on the severity
of the event.
DEE 1: For more severe events, there is to be a safe shutdown path that
comprises at least one means of reactor shutdown, fuel cooling and
retention of radioactive material from the reactor. There should be sufficient
structural integrity to protect important systems. Two such success paths
are to be identified, where practicable.
DEE 2: For extreme external events, there is to be at least one means of
reactor shutdown and core cooling. Degradation of the containment barrier
may allow the release of radioactive material. However, the degradation
should be limited, with the goal that the dose acceptance criteria are
not exceeded. In these cases, the response includes on-site and off-site
emergency measures.
2.4.3. Operational status
Full power and shutdown operational modes for maintenance and refuelling
are to be considered.
27
2.4.4. Consideration of multi-unit sites
Multi-unit sites and multi-use sites present special circumstances. Special

attention needs to be given to common cause events, in particular considerations
such as shared systems between units or assumptions about assistance of one unit
to another. Such assistance may be unavailable owing to physical situations or the
confusion that may accompany a DEE. Multi-use sites, such as chemical plants
co-located at, or near to, a nuclear power plant may present additional loading
environments if impacted by the DEE, for example breaching of chemical storage
tanks due to an accidental explosion thereby releasing a hazardous material could
be a threat to the adjacent nuclear power plant.
2.4.5. Severe accident prevention and management
In addition to existing measures, additional measures to prevent and

mitigate severe accidents have been implemented in many Member States in
the light of the Fukushima Daiichi accident, on 11 March 2011. For instance,
Refs[6,10] detail an approach broadly termed FLEX to supplement existing
safety systems in nuclear power plants.
As stated in Ref.[6]:
The consequences of postulated beyond-design-basis external events

that are most impactful to reactor safety are loss of power and loss of the
ultimate heat sink. This document outlines an approach for adding diverse
and flexible mitigation strategies or FLEX that will increase defense-
in-depth for beyond-design-basis scenarios to address an ELAP [extended
loss of AC power] and loss of normal access to the ultimate heat sink
(LUHS) occurring simultaneously at all units on a site. ...
FLEX consists of the following elements:

Portable equipment that provides means of obtaining power and
water to maintain or restore key safety functions for all reactors at
a site. This could include equipment such as portable pumps, generators,
batteries and battery chargers, compressors, hoses, couplings, tools,
debris clearing equipment, temporary flood protection equipment and
other supporting equipment or tools.
Reasonable staging and protection of portable equipment from
BDBEEs [beyond design basis external events] applicable to a site.
The equipment used for FLEX would be staged and reasonably protected
from applicable site-specific severe external events to provide reasonable
28
assurance that N sets of FLEX equipment will remain deployable
following such an event [where N = number of units on a site].
Procedures and guidance to implement FLEX strategies. FLEX
Support Guidelines (FSG), to the extent possible, will provide
pre-planned FLEX strategies for accomplishing specific tasks in support
of Emergency Operating Procedures (EOP) and Abnormal Operating
Procedures (AOP) functions to improve the capability to cope with
beyond-design-basis external events.
Programmatic controls that assure the continued viability and
reliability of the FLEX strategies. These controls would establish
standards for quality, maintenance, testing of FLEX equipment,
configuration management and periodic training of personnel.
The FLEX strategies will consist of both an on-site component using

equipment stored at the plant site and an off-site component for the
provision of additional materials and equipment for longer-term response.
To incorporate FLEX into the evaluations being performed, several of the

issues described as elements of the FLEX system need to be verified:
(a) If there is no redundancy, diversity and separation (i.e. if FLEX is a single

train system), then verification is required of the following:
(i) There will be no damage to FLEX equipment from the extreme human
induced external event (no damage from impact, collateral damage
from debris, damage from fire, or from smoke from aircraft crash; and
no damage from an explosion);
(ii) There will be no damage in the yard to impede the personnel from
performing their required function to implement FLEX;
(iii) There will be no missing equipment or inoperative equipment;
(iv) There will be no human error, so the single train system is 100%
operative (zero failure).
(b) If FLEX is a single train system, the likelihood, potentially a small
likelihood based on evaluations as described above, that a single train
FLEX system does not perform its function needs to be considered.
29
2.5. ASSESSMENTS OF EXTREME PLANT CONDITIONS
In the light of the Fukushima Daiichi accident, some Member States

require operators to evaluate extreme plant conditions without consideration for
the mechanism to reach such a state, for example:
Station blackout;
Loss of primary ultimate heat sink;
Both occurring simultaneously.
These extreme plant conditions need to be evaluated without consideration

of applying probability arguments as to why they are not credible. Within the
DBEE and DEE environment, one can easily hypothesize scenarios that could
produce these plant states. An example scenario is:
A loss of off-site power;

All emergency diesel generators in a single building this building is
disabled by an extreme flood;
No possible recovery in the short term.
The evaluation needs to include mitigation strategies, implementation and

training.
2.6. UNCERTAINTY
In treating extreme external events of all types, it needs to be recognized

that all elements of the evaluation are subject to two types of variability or
uncertainty: aleatoric and epistemic[11]:
Aleatoric uncertainty is the uncertainty inherent in a non-deterministic

(stochastic, random) phenomenon. Aleatoric uncertainty is reflected by
modelling the phenomenon in terms of a probabilistic model. In principle,
aleatoric uncertainty cannot be reduced by the accumulation of more data
or additional information (sometimes called randomness).
.......
30
Epistemic uncertainty is the uncertainty attributable to incomplete
knowledge about a phenomenon that affects the ability to model it.
Epistemic uncertainty is reflected in ranges of values for parameters, a range
of viable models, the level of model detail, multiple expert interpretations,
and statistical confidence. In principle, epistemic uncertainty can be reduced
by the accumulation of additional information (also called modelling
uncertainty).
The composite variability is the total uncertainty including the aleatoric and
epistemic uncertainties. In many cases, aleatoric and epistemic uncertainty are
modelled by log-normal distributions with the log-normal standard deviation for
aleatoric uncertainty represented by R and the log-normal standard deviation for
epistemic uncertainty represented by U. For this case, the logarithmic standard
deviation of composite variability, c, is expressed as:
1
b c = ( b R2 + b U2 ) 2 (1)
These concepts are introduced here to emphasize the fact that representations
of the extreme human induced external events are subject to uncertainty in the
phenomena themselves and in the modelling of the phenomena. These concepts
are discussed in significant detail in Ref.[3].
3. EVENT IDENTIFICATION AND

LOAD CHARACTERIZATION
3.1. SCREENING OF EVENTS
The first level of screening was introduced in Phase1 (event identification),

as described in Section2.2. A second level of screening based on-site and nuclear
power plant specific characteristics is implemented in Phase 2 as a function
of the specific site and nuclear power plant characteristics. Typical screening
parameters to be applied in this phase are: probability, distance and magnitude
of event specifics, and on-site characteristics (e.g. design conditions and zones of
influence). Additional screening-out of events may be possible. For nuclear power
plants, the number of co-located facilities on the site is another consideration.
Each of these is discussed briefly in the following.
31
3.1.1. Screening by design robustness
In the design and evaluation process, the inherent strengths in facilities due
to the design and construction conditions need to be recognized. SSCs designed
to the wide range of conditions imposed by the design may possess significant
margin for loading environments owing to defined human induced external
events. For extreme external events, the focus is on the SSCs required to safely
shut down the facility and to maintain it in a safe state through the time necessary
for additional resources from outside the plant to assist, if necessary.
SSCs are designed and evaluated for a large number of conditions:
(a) Structures: Generally, structures provide one or more of the functions of

pressure retention, shielding and confinement, and support to systems
and components. Structures and structural elements are designed for
operational and accident conditions throughout the facilitys life. Operating
loads include dead load, live load, atmospheric temperature, thermal loads,
vibration, radiation effects, pressure retention and aging effects (radiation,
corrosion and other material degrading effects). Structures are designed
for accidental loads, such as missile impact (internally and externally
generated), extreme wind, flood, earthquake, explosions and blasts
(internally and externally generated), extreme heat loads, extreme radiation
effects, impulse loads due to pipe whip and other phenomena, and heavy
load drops. Some of these loading conditions are considered in design to
act simultaneously. Design load combinations, along with conservative
acceptance criteria, lead to robustness that needs to be taken into account in
the evaluation of the consequences of the extreme human induced external
events. Load combinations in DEEs often include only the normal operating
loads and the load due to the extreme human induced event.
(b) Systems: Generally, systems are designed for a companion set of operating
and accident conditions to structures. In addition, system design includes
considerations of redundancy of function, and separation, segregation and
diversity of trains and elements to provide high reliability for successful
system performance for normal operating and accident conditions. This
robustness in system behaviour is characterized in systems models, such as
fault tree models.
(c) Components: Generally, components are designed for a companion set of
operating and accident conditions to structures and systems. However, the
environments for which components are designed, qualified and maintained
are typically more extensive. Operating conditions mean component
32
function (e.g. pumps delivering fluid at a specified flow rate) under a wide
range of specified conditions (e.g. temperature, humidity, radiation, cooling
and vibration). Accident conditions mean components performing required
functions during a specified period and under specified environmental
conditions.
Nuclear facilities are designed for a wide range of extreme loading

conditions. The design basis internal and external events, such as fire, pipe whip,
loss of coolant accident, earthquake, extreme winds, explosions and aircraft
crashes, provide an envelope of protection for a nuclear facility. It is important
to take advantage of this designed protection when evaluating extreme human
induced external events. In fact, some scenarios may be screened out due to
effectively being bounded by design basis or beyond design basis conditions
already considered. Bounding can be demonstrated on the basis of the event
(for the whole facility), the extreme load (for each item), or the sizing requirement
derived from the loads. The screening process becomes increasingly more
difficult as one moves from the event to the load and to sizing.
Design robustness can be physical in the sense of an enveloping of loading
conditions for design basis events compared to the imposed loading conditions
due to the particular extreme human induced external event being analysed.
For example, design for tornado loads may envelope loading conditions due
to external explosions. Aircraft impact imposes structure loading conditions of
global response, local response and vibration effects, for which either of these
effects could be demonstrated to be enveloped by other DBEE loading conditions.
Global response could be enveloped by earthquake loading, in-structure response
spectra due to design basis earthquake may envelope the spectra due to vibration
effects caused by aircraft impact, among other things.
Design robustness may be system wise due to defence in depth and
redundancy. Many of the events may be screened out from detailed analysis,
because their maximum impact is enveloped by design basis accidents, for
example by analysis of transients with the assumption of the worst possible
single failure which has been analysed, so their consequences are known.
In some cases, the critical scenarios developed for an extreme human
induced external event cannot be enveloped by the analysis of design basis
events, but they can be related to scenarios analysed for the assessment of other
extreme external events and the plant specific PSA. The fault trees and event
trees are helpful in understanding the systems logic (this is discussed in much
more detail in Ref.[3]).
33
3.1.2. Screening by distance and magnitude and by probability
When the events cannot be screened out based on design robustness, two
other screening methods are available: screening by distance and magnitude and
screening by probability of occurrence.
3.1.2.1. Distance and magnitude screening
Following this method, the minimum distance and the maximum magnitude
of the event are postulated with respect to the nuclear power plant site and the
potential damaging effects on plant safety are assessed. If the effects are found to
be insignificant, the event is screened out with respect to the assessed parameter.
An example where distance and magnitude screening may be effective is
the screening of vehicles containing explosives. The plant boundary and Member
State administrative procedures may be judged to be effective in keeping vehicles
at safe distances from the nuclear power plant SSCs.
Another example is for extreme human induced external events of flood
conditions (dam failure or overtopping) and consequent site inundation. It may
be possible to assess the maximum flood height and take into account the site
topography and possible drain paths to exclude effects on SSCs located at higher
elevations. This can be applied to both off-site water sources and on-site tank or
piping systems, reducing the possible impact of the flood on equipment important
to safety and the number of events to be analysed in detail.
3.1.2.2. Probability screening
Screening by probability is generally more complex and uncertain, but

it may be applied to events not screened out by distance or magnitude. The
probability level used for screening is generally one or two orders of magnitude
smaller than that used for design purposes, in order not to exclude any events
due to the approximate nature of the probabilistic screening procedure. For
those scenarios not screened out using the distance and magnitude approach,
probabilistic screening criteria may be utilized. Generally, a threshold screening
criteria is an annual probability of exceedance of 107.
3.1.3. Screening by zone of influence
In addition to screening by the many factors discussed previously, this

section discusses conceptual tools that may aid in excluding some events from
further analysis, as the consequences are deemed to be sufficiently low or success
paths for the safe shutdown can be shown to remain intact. On the other hand,
34
these concepts, when applied, could also serve to identify some safety concerns
that are clearly vulnerabilities, without requiring extensive analysis. The concepts
are illustrated using an aircraft crash as an example.
In the case of an aircraft crash, the first issue that national authorities need
to address is which scenario is to be assessed. This requires definitions of, for
example, the types of aircraft, velocities, altitudes and payloads (including the
amount of fuel and the existence of passengers and cargo) which are to be used
in the analysis. For example, with regard to accidental aircraft crash scenarios,
Germany has required designs to deterministically protect against a Phantom or
similar, fast military jet crashing into the nuclear power plant site. In contrast,
France has ruled out accidental commercial and military crashes based on
probabilistic considerations, but it requires consideration of general aviation
crashes (Learjet23 and Cessna210).
These decisions require taking into account current and predicted air traffic
for the country or region. It may involve setting two levels: one for best estimate
survival and another (possibly more unreasonably burdensome) for best estimate
consequences. Having developed national criteria which may be defined down to
a list of site specific approach directions, a case can be made to perform a high
level worst case analysis.
Methodologies for the analysis of impact have been developed over a
number of years and have been updated, as needed, taking into account new
information such as the events of 11 September 2001, testing performed
subsequent to that event, and extensive analytical and numerical studies
performed. These analyses make use of the results of the extensive work that has
been performed on the few cases of aircraft impacts on engineered structures (i.e.
buildings). Reference[2] discusses these approaches in detail.
The Pentagon Building Performance Report[12] and World Trade Center
Building Performance Study[13] provide useful guidance that may be applied to
the nuclear facility case. In Ref.[12], the results of the detailed study assessing
the impact indicated that the damage was initially confined to a roughly triangular
shape, extending along the direction of the approach. The damage swath was
approximately 2324m at the point of entry into the building and extended to a
depth of approximately 70 m. The damage caused by the landing gear was shown
to extend beyond the initial zone of impact. Fire damage, due to burning of the
jet fuel and to secondary fires caused by the ignition of on-site combustibles,
extended into the areas unaffected by the impact, until contained by the building
fire suppression systems.
Hence, the zone of influence concept can be applied for the purpose of
preliminary screening. Aircraft crashes and explosions are two events where the
zone of influence is a valuable tool. The concept is applied to aircraft crashes by
imposing the damage and debris triangles on a scaled representation of a nuclear
35
plant, aligned along each or all determined approach paths. An approximation of
the areas of damage likely to occur to the relevant building can be obtained. The
footprint of the fire and smoke damage can be obtained by extending the zone of
influence until it is met by a fire barrier that has not been damaged by the initial
impact or subsequent debris.
The expectation is that this concept may provide reasonable initial
estimates of the damage caused by an aircraft crash on a nuclear facility based
on the evidence from past events. Clearly, this methodology could not be directly
applied to certain structures within a nuclear facility. Hardened and robust
structures, such as the containment building, would provide additional protection
when compared to the structure of the Pentagon building. These key structures,
whose failure could lead to significant, immediate consequences, would require
additional evaluation to ensure that their integrity can be maintained. However,
this concept could serve to focus the evaluation on those SSCs critical to the
plant achieving safe shutdown, simultaneously eliminating those SSCs that are
highly likely to fail in the crash.
Implementation of this concept could result in a visual representation
similar to that in Fig. 2 for an aircraft crash in one direction (several diverse
directions may be assessed as probable and each would need to be considered).
Impact zone
Turbine building
Debris zone
Fire and smoke zone
Direction of approach
Reactor
building
Auxiliary building
FIG. 2. Simplified schematic of a nuclear power plant indicating the three zones of influence
following an aircraft crash.
36
Assuming a loss of all SSCs contained within the zone of influence,
and using the defined success criteria (i.e. the redundancy and survivability
requirements), the effect of the aircraft crash on the plant can be estimated.
Systematic tools, such as PSAs, simplified event trees and SMAs, can be used
along with the zone of influence to determine whether successful shutdown of
the nuclear power plant remains feasible for those SSCs outside the zone of
influence.
The list of SSCs needed for safe shutdown may populate an SEL plus
structures. It should be noted, however, that the SEL will depend greatly on each
scenario. In the following example, the emergency cooling system is assumed
to be located primarily on the north side of the plant, whereas the shutdown
maintenance cooling system is located on the south side, with the reactor building
between them. Preliminary analysis has shown that either cooling system may be
relied on to maintain the basic cooling requirements for removal of decay heat.
The aircraft crash is to be considered a viable event (i.e. not screened out by
previous methods). The aircraft is considered to be approaching from the north
and the south directions for evaluation by the zone of influence approach. For the
case of approaching from the north, and using the zone of influence concept, the
emergency cooling system is assumed to be unavailable. Based on reasonable
assurances, however, the maintenance cooling will survive the impact, debris
and fire, thus ensuring that basic cooling functions are maintained. The opposite
would be true for the approach from the south.
Caution is to be taken, however, if this methodology is to be used to exclude
scenarios from further consideration. Owing to the significant uncertainty
associated with this method, there needs to be a high degree of certainty that
the essential safety functions are maintained. Furthermore, for open areas such
as a turbine building, the zoning might be an underestimate, while for a cellular
structure with many interior walls, such as a control building, the effects might be
more restricted. Detailed consideration therefore needs to be given to postulated
affected buildings and plants.
The zone of influence methodology may serve to identify clear
vulnerabilities. For example, some nuclear power plants may locate the primary
and secondary control rooms in close proximity to each other. When the damage
footprint is imposed on the plant layout, assuming that it is feasible for the aircraft
to approach from an alternative direction, there would be a good possibility that
both control rooms may be lost simultaneously, or that the access to the secondary
control room may be impeded owing to the severe fires expected.
37
3.1.4. Example of systematic approach to defining scope: Aircraft impact
Significant effort has been expended internationally to develop cost

effective approaches to addressing the issues of extreme human induced
external events. In the United States of America, significant effort was devoted
to evaluating aircraft impact effects on existing and new nuclear power plants.
The methodology, available in Ref.[14], is described here as an example. The
focus is on two buildings the reactor containment building and the spent fuel
storage building. These methodologies were developed as a result of the events
of 11September 2001. They are equally applicable to extreme human induced
external events of accidental aircraft crashes.
An approach similar to the zone of influence approach is used. The
concept of defining areas of consequence for each of the hypothesized impact
locations is employed. The areas of consequence are denoted damage footprints.
Damage footprints are defined for impact, shock and fire loading conditions.
The systematic approach to the evaluation looks first to the buildings containing
nuclear fuel and, afterwards, to the buildings housing the equipment for heat
removal.
3.1.4.1. Reactor containment building and spent fuel storage building
Two buildings the reactor containment building and the spent fuel
storage building are to be evaluated for direct aircraft impact effects:
(a) Impact locations to be considered are defined, which are identified based
on the aircraft parameters (such as angle of impact and manoeuvrability
of aircraft), shielding by topography, nuclear power plant site buildings,
transmission lines and other considerations.
(b) Conservative assumptions about the angle of aircraft impact, for
example perpendicular to the centreline of the containment building and
perpendicular to the spent fuel storage building are made.
(c) Local response, global response and vibration loading conditions are
considered.
Damage footprints due to any consequences of the aircraft crash are developed,
including structure failure modes, fire and vibration effects. The end product
is aircraft impact locations and damage footprints. Studying the effects of an
aircraft crash requires evaluations of global structural response, local response
and vibration effects, as described in Ref. [2].
38
3.1.4.2. Heat removal capability
In addition to the evaluation of the reactor containment building and the

spent fuel storage building, all structures containing equipment necessary to
prevent damage of fuel in the reactor or the spent fuel pool will be identified for
screening or evaluation. Front line and support systems needed for safe shutdown
of the reactor or continued cooling of the spent fuel pool are identified.
In general, each building identified will be evaluated to define impact
locations for structural response. Exterior faces of the buildings will be evaluated
to screen out the need for further evaluation or to determine impact locations:
(a) The faces or partial faces of buildings could be screened out from further
consideration due to shielding by adjacent structures, intervening structures,
or other site features (see the rules in table3-1 of Ref.[14]).
(b) Faces of buildings that are partially screened out are subdivided into
portions for which aircraft impact is possible and not possible;
(c) The impact of multiple buildings during the event is considered, the result
being the identification of multiple buildings vulnerable to a single aircraft
crash;
(d) Candidates for aircraft impact assessment are the end products.
Damage footprints for each building, for each impact location of the
building, and for each mode of failure or excitation (global or local structure
response, fire and vibration effects) are developed for evaluation.
Screening rules were developed to aid in the evaluations:
SSCs are assumed to be unable to perform their function or may perform

their required function depending on parameters such as proximity
to impact location, proximity to fire initiation, spalling, scabbing and
perforation hazards.
Screened out SSCs (those assumed to not be able to perform their functions)
and screened in SSCs are identified for each impact scenario.
Excessive conservatism of screening rules may be reduced by performing

more detailed evaluations, such as those defined in Refs[2,3]. For each impact
scenario, a success path to hot or cold shutdown is defined by sets of screened-in
SSCs. Finally, the results of the evaluation are documented (safeguard
information).
39
3.1.5. Special topics
3.1.5.1. Type and number of co-located facilities on the site
The type and number of co-located facilities on the site can have positive
and negative effects on prevention, detection, control of consequences (normal
and severe conditions) and emergency response.
(a) Positive effects: Multiple critical facilities located on a site (or in the
vicinity) permit the pooling of resources to prevent or mitigate the
consequences of a human induced external event. Various on-site and
off-site measures can be deployed cost effectively.
(b) Negative effects: If there are shared systems between nuclear power
plant units, or on the site in general, a human induced external event may
neutralize the system performance.
The effects need to be carefully considered by key personnel. In addition,

site-side planning, which is a plan for co-located facilities, needs to be
implemented, with on-site and off-site considerations including emergency
response, such as evacuation of the site, if deemed necessary.
3.1.5.2. Considerations in siting
NS-R-3(Rev.1)[4] identifies aircraft crashes and associated phenomena

(impacts, fires and explosions), other explosions, fire and hazardous material
releases as important human induced events to consider at all stages of the
nuclear installation siting, design, construction and evaluation (these events are
also considered in Refs[2,3]).
In addition, NS-R-3 (Rev.1)[4] emphasizes the link between the site
characteristics and the ultimate heat sink and the need to consider human induced
events that could cause a loss of function of systems required for the long term
removal of heat from the core, such as ship collisions, oil spills and fires.
It is important to note that consideration of human induced external events
goes far beyond the site selection stage, since human activities around a selected
site can change considerably during the life of the nuclear installation. Hence, the
set of human induced external events considered applicable to the facility is not to
be frozen at the site selection stage. The site needs to be periodically assessed for
the potential new or increased hazards derived from the updated human activities
in the site vicinity. Hence, new sites are assumed to follow NS-R-3(Rev.1)[4],
but existing sites need to demonstrate, through the methodologies of this Safety
40
Report and Refs[2,3], that the consequences of current potential human induced
events are reduced to acceptable levels.
3.2. EVENT, HAZARD AND LOAD CHARACTERIZATION
3.2.1. Load evaluation for design extension external events
The general approach is to define loading matrices with extensive backup

information, which are provided to the engineers for design and evaluation
purposes. Examples of these matrices are provided in the following sections to
describe the process. The Annex includes three instances of implementation.
All examples in this publication are given for illustration purposes only; actual
requirements are to be defined by Member States.
3.2.1.1. Design extension external events loading matrix
This matrix is a road map connecting extreme human induced external

events to DEE loading. For each event identified in Phase2, the potential extreme
environment to be imposed on the facility is identified. An example is provided
in Table9. This example is purely hypothetical, and the extent of the phenomena
and the parameters defined are not intended to be complete.
The columns of the matrix are defined as follows:
(a) Human induced event No.: An alphanumeric identifier, values ranging from
1 to N, where N is the total number of events.
(b) Human induced event description: A brief description of the event for
identification purposes. (Example: Large passenger aircraft crash into a
nuclear power plant site.)
(c) Physical loading conditions: Numerical identifiers on the type and specifics
of loading conditions caused by the event. The numerical identifiers
correlate directly with the other loading matrices: impact, explosion and
blast, heat and fire, hazardous material release and other environmental
consequences. The end result provides guidance to plant engineering
on engineering disciplines required in the evaluation. It also provides
background on the source of environmental load combinations required.
(d) Impact matrix: One or more impact loading conditions identified by
number and reference to the impact matrix described in Section 3.2.1.2.
(Example: DEE impact loading1 and 2.)
41
42
TABLE 9. EXAMPLE OF DESIGN EXTENSION EXTERNAL EVENT LOADING MATRIX TABLE
Human induced Human induced Explosion/blast Heat/fire Hazardous material

Impact matrix Smothering Flooding Other
event No. event description matrix matrix release matrix
Crash of a large
passenger aircraft
with a fully
1 1, 2 None 1 None None None None
fuelled fuselage
into a nuclear
power plant
N
(e) Explosion/blast matrix: One or more explosion or blast DEE loadings
identified by number and reference to the explosion/blast matrix described
in Section 3.2.1.3. (Example: None, i.e. no explosion or blast loads
associated with Event1 or as ancillary to the aircraft crash.)
(f) Heat/fire matrix: One or more heat or fire loading conditions identified by
number and reference to the heat/fire matrix described in Section3.2.1.4.
(Example: Heat/fire environmental loading condition1.)
(g) Hazardous material release matrix: One or more hazardous material release
conditions identified by the number and reference to the hazardous material
release matrix described in Section 3.2.1.5. (Example: None, i.e. no
hazardous material release condition associated with Event1.)
(h) Smothering, flooding and other phenomena are identified with examples
for future consideration (see Section3.2.1.6 for flooding):
Smothering, choking or depriving SSCs of necessary air for operation is
suggested as a potential concern (e.g. a lack of air to emergency diesel
generators could prevent startup and operation). Smothering due to
firefighting techniques (i.e. foam) may need to be evaluated.
Flooding of the site due to internal or external sources may need to
be evaluated (e.g. the failure of an up stream dam, which leads to the
release of large quantities of water that floods the site).
3.2.1.2. Impact parameter definition matrix
This matrix identifies the impact parameters to be used by plant engineering

for the evaluation of SSC capacity. Each Member State defines the characteristics
of missiles as rigid, semi-rigid or flexible, and also defines the impact parameters,
such as the angle and velocity of impact. An example is provided in Table10.
(a) Missile type/No.: Missile load identifier. In general, values range from 1 to
M, the total number of missile impact scenarios. (Example: MissileNo.1 is
the fuselage from a large passenger aircraft, including fuel; MissileNo.2 is
the engines.)
(b) Description: Brief description of source of loading condition. (Example:
Missile No. 1 is a crash of a large passenger aircraft with a fully fuelled
fuselage; MissileNo.2 is the engines.)
(c) Mass: Mass of the missile. (Example: MissileNo.1 is 157000kg, including
fuel; MissileNo.2 is 4800kg per engine.)
43
44
TABLE 10. IMPACT PARAMETER DEFINITION MATRIX
Missile Shape/ Impact Impact Relative

Description Mass (kg) Fire Explosion Vibration Other
type/No. configuration angle velocity hardness
Crash of a large
passenger aircraft
Defined by Defined by
with a fully
1 157 000 Flexible Member Member Flexible 1 No Yes No
fuelled fuselage
State State
into a nuclear
power plant
Large passenger Defined by Defined by

1.40 m diameter/
2 aircraft engines 4 800 Member Member Semi-rigid No No No No
hollow cylinder
as projectiles State State
M
(d) Shape/configuration: General and specific description of missile.
Dimensions specified, if available at this stage. (Example: MissileNo.1 is
a flexible fuselage, dimensions to be determined; MissileNo.2 engines to
be assumed rigid and dimensions as shown.)
(e) Impact angle: Angle or range of potential impact angles taking into account
the physics and human capability necessary to achieve objective. (Example:
Impact angle in the range of 030 from the horizontal.)
(f) Impact velocity: Velocity of missile taking into account the physics and
human capability necessary to achieve objective. (Example: 180m/s.)
(g) Relative hardness: Important parameter in assessing effect of missile
on SSCs. Qualitative or quantitative measure. (Example: Missile No. 1
fuselage is considered flexible; MissileNo.2 is considered rigid.)
(h) Ancillary effects: These are effects that are consequential to the direct
impact. They may be specified in other places in the specification such
as fire in the example. They may be consequences to the impact, such
as spalling or scabbing of concrete, which may be an ancillary effect on
components in the vicinity of the impact.
(i) Fire: Missile impact causes a fire due to the missile impacting a combustible,
such as a diesel oil tank. (Example: MissileNo.1 refers to heat and fire, 1
within the fire matrix, which is a jet fuel fire associated with the aircraft
crash; MissileNo.2 has no related fire.)
(j) Explosion: Missile impact causes explosion due to impacting an explosive
storage facility in the surrounding area of the plant. (Example: No explosions
assumed.)
(k) Vibration: Missile impact causes overall vibration of the impacted building.
Vibration can affect sensitive equipment. (Example: MissileNo.1 impact is
considered able to produce significant vibration affecting all the building.)
(l) Other: Other hazards identified, such as intruders in coordination with
missile attack. (Example: No other hazards identified.)
3.2.1.3. Explosion/blast parameter definition matrix
This matrix identifies a simplified set of parameters for explosion and

blast loading conditions for the use of plant engineering in the evaluation of SSC
capacity. An example is provided in Table11.
45
TABLE11. EXPLOSION/BLAST PARAMETER DEFINITION MATRIX
EXPLOSION PARAMETERS PRESSURE PULSE
TNT equivalent Reference Incident

Explosion No. Description Reflected
mass distance (side-on)
(a) Explosion No.: Explosion and blast condition identifier. Values range
from 1 to the total number of blast conditions considered. (Example: No
explosion or blast conditions were assumed.)
(b) Description: Description of the explosion scenario.
(c) Explosion parameters: Table 11 presents example descriptors of the
characteristics of the explosion. For general descriptions, trinitrotoluene
(TNT) equivalent mass and reference distance (measured from a facility
reference point) is the most general information. Other descriptors can be
given if the multi-energy method is used[2].
(d) Pressure pulse: Table 11 presents example descriptors of the pressure
pulse created by the explosion. Specific information about the incident
and reflected waves would be developed for the nuclear power plant under
evaluation. Typically, side-on and reflected peak overpressures are used.
The details are a function of numerous site specific characteristics.
3.2.1.4. Heat/fire parameter definition matrix
This matrix identifies the heat and fire characteristics to be used by plant
engineering for the evaluation of SSC capacity. An example is provided in
Table12.
(a) Fire No.: Heat and fire condition identifier. Values range from one to the
total number of fire conditions.
(b) Description: Brief description of the source of the fire. (Example: Jet fuel
fire from a large passenger aircraft.)
46
TABLE 12. HEAT/FIRE PARAMETER DEFINITION MATRIX
FIRE SOURCE OR COMBUSTIBLES INSIDE

FIRE SOURCE OUTSIDE FACILITY
FACILITY
Burn
Combustible/ Quantity Heat potential/temp. Burn Building/ Quantity Ignition
Fire No. Description Other Type duration
ignition (kg) (C) duration (h) yard (kg) likelihood
(h)
Jet fuel fire

from a large
1 Yes 50 000 1 000 18
passenger
aircraft
47
(c) Fire source outside facility: These entries define the fire hazard on the basis
of its source being outside the facility. For an aircraft crash or other similar
event, the distribution of the combustibles within and outside the facility
boundary is important. Two obvious distributions are on plant yard and
penetration into buildings; another is outside the facility boundaries, which
could inhibit access by emergency responders and others. Examples of
important parameters include type and quantity of combustible, estimates
of heat potential and temperature, and duration of burn. (Example: Jet
fuel from a large passenger aircraft spilled and ignited. No penetration of
building. Quantity is 50000kg. Burn duration at high temperature, 1000C,
is 1hour maximum and 57hours of residual fire at 300C.)
(d) Fire source or combustibles inside facility: These entries define the fire
hazard on the basis of the source being inside the facility or ignited inside
as a consequence of an outside source. Examples of important parameters
include type and quantity of combustibles, location and estimated duration
of burn. (Example: None.)
3.2.1.5. Hazardous material release definition matrix
This matrix identifies important parameters for hazardous material release

conditions at the nuclear power plant. An example is provided in Table13.
(a) Case No.: Hazardous material release number. Values range from 1 to
the total number of hazardous material release conditions. (Example: No
hazardous material release was assumed.)
(b) Material description: Brief description of the hazardous material.
(c) Quantity: Quantity of the material released and over what time frame.
(d) Smothering effect (personnel): Physical effects on personnel (e.g. plant
operating staff) need to be itemized. Indicate whether personnel protective
gear is required and the time frame for implementation.
(e) Smothering effect (components): Smothering or choking of components
as a possible effect is to be identified. For example, if emergency diesel
generators could be adversely affected by the atmospheric dispersion of a
particular chemical, it needs to be identified here.
(f) Lethal or disabling effects (personnel): Potential effect on plant personnel.
(g) Duration: Time frame in which hazardous material is present. Occurrence
of dispersion.
(h) Penetration extent: Hazardous material migrates into buildings through
flow paths, including heating, ventilation and air-conditioning systems, or
remains in the plant yard.
48
TABLE 13. HAZARDOUS MATERIAL DEFINITION MATRIX
HAZARDOUS MATERIAL LOADING CONDITIONS
Material Smothering effect Smothering effect Lethal or disabling

Case No. Quantity Duration Penetration extent Other
description (personnel) (components) effect (personnel)
49
3.2.1.6. Flooding
Generally, flooding scenarios can be initiated from inside the plant

boundary or outside the plant boundary. Inside the plant boundary, there may
be a combination of causes of flood scenarios. Generally, flood would be a
secondary effect to another event, for example aircraft crashes or explosions
could damage multiple yard tanks simultaneously. Well designed nuclear power
plants will have considered common cause events that could cause yard tanks
to fail simultaneously (e.g. earthquakes). However, the design conditions may
have introduced capacity that would be effective when considering extreme
DEEs. For example, well anchored flat bottom tanks may easily resist the effects
of explosions, but not aircraft or rigid missile impact. Consequently, the effect
on safety systems may have already been evaluated. However, designers of new
plants and evaluators of existing plants need to revisit the issue to verify that it
has been treated properly for the extreme human induced external event.
Outside the plant boundary, a nuclear power plant sited on a river or
other body of water constrained up stream by one or a series of dams could be
vulnerable to externally induced failures. Multiple dam failure could be caused
by a variety of phenomena progressively failing dams up stream of the plant.
These scenarios are best treated by a combination of Member State measures,
such as monitoring fill levels of the dams to be certain overtopping or failure
does not occur. The nuclear power plant may participate in the minimization of
the consequences by having in place an emergency procedure for shutdown if
advance warning of a potential flood is given. To be confident of the effectiveness
of such an emergency procedure, it needs to be incorporated into normal operator
training.
3.2.1.7. Summary table
This table provides a summary of loading conditions for the evaluation of

the facility. The table and its backup information is the pinch point between the
human induced external event definition and the evaluation requirements for the
engineering safety experts. The table contains the loading identifiers and the load
combinations to be considered. An example is provided in Table14, which has
been simplified for illustrative purposes. For all items on the SEL, there is a set
of loading conditions and load combinations to be considered.
50
TABLE 14. EXTREME LOADING MATRIX SUMMARY TABLE
Plant area Vital area Description Impact Blast Heat/fire Hazardous material release Smothering Flooding Other
Building 1
Building 2
Building 3
Zone 1
Zone 2
Zone 3
Zone 4
Yard 1
Yard 2
SEL item 1
SEL item 2
51
4. PLANT SPECIFIC EVALUATION
4.1. DEFENCE IN DEPTH
The basic approach to the overall plant specific evaluations is utilizing the
concept of defence in depth[1,8]. In a full scope safety evaluation against human
induced external events, all layers of defence in depth are assessed. The layers of
defence in depth may be intrinsic or extrinsic, on-site or off-site, and related to
safety, security or a combination. Some layers of defence in depth are related to
prevention (prevention of the human induced event from adversely impacting the
nuclear power plant) and others to mitigation when, for example, core damage
is considered the consequence of the human induced event.
Five levels of defence in depth are defined as follows [8]:
Level1: Prevention of abnormal operation and failure, and prevention of

the consequences of human induced event scenarios from reaching the
nuclear power plant;
Level2: Control of abnormal operation and detection of failures, and
control of damage caused by human induced events through design
principles, including design robustness, redundancy, physical separation
and diversity;
Level3: Control of accidents within the design basis;
Level4: Control of severe plant conditions, including prevention of
accident progression and mitigation of consequences of severe accidents;
Level5: Mitigation of the radiological consequences of significant external
releases of radioactive materials.
Owing to the interdependencies of their roles and responsibilities, the

Member State and the operator share the responsibility of the defence in depth
as a whole:
(a) At level 1, human induced external events are initiated outside the plant
boundary. Consequently, there is a shared responsibility between the
Member State organizations to prevent human induced events from
occurring.
(b) At levels 24, if human induced events are initiated, the majority of the
initial burden for level 24 activities is the responsibility of the operator.
However, there is an understanding of approach between Member State
organizations and the responsible plant personnel.
52
(c) At level 5, emergency response activities clearly involve the Member State,
not only the operator. Hence, the related activities are also interdependent.
A coordination plan is the key element to ensure coordination of off-site

and on-site activities. A coordination plan is to be established for the integration
of on-site and off-site action plans. The coordination plan needs to define roles
and responsibilities, communication (including command and control, alarms,
responsible government organizations, media, public) and emergency response
coordination with existing procedures.
4.2. SUCCESS PATH AND FAILURE PATH
Two modelling and evaluation approaches are tools in the plant specific
evaluation process: probabilistic safety assessment (PSA) and safety margin
assessment (SMA). These methods are discussed in detail in Ref.[3].
The SMA approach relies on defining success paths. A success path is a
set of systems and associated components that can be used to bring the plant
to a stable hot or cold shutdown condition and to maintain this condition for a
specified period of time. A complementary definition is that a success path is
defined by SSCs whose successful performance will put the nuclear power plant
in a safe state (i.e. hot or cold shutdown).
Once the front line and support systems are identified, the success paths
consisting of combinations of safety systems, equipment and structures will be
developed. These required SSCs will be listed on an SEL augmented by required
structures. All screening tools, including those identified in Section 3 will be
implemented.
In its entirety, the PSA approach models the process from initiating event
to end metrics of interest, including mitigation systems, containment SSCs
(level 2), and on-site and off-site consequences (level 3). This constitutes
defining the failure paths and their quantification in probabilistic terms. Similar
to the success paths, the potential failure paths comprise SSCs that define the
SEL for further evaluation. When SEL items cannot be screened out based
on conservative performance criteria, a detailed computation of capacities is
necessary (see Section4.5).
53
4.3. SELECTED EQUIPMENT LIST
SSCs that require evaluation for the SMA or the PSA are identified
depending on the methodology to be implemented. Along with identification of
the SSCs, their required performance needs to be identified.
For the SMA approach, multiple equipment lists could be defined as a
function of the event under evaluation. Different sets of lists will be required for
different human induced events based on the location and extent of effects of the
event. The important element here is to systematically assess the human induced
events and the accompanying equipment lists. It is expected that the number of
items on the equipment lists will be in the hundreds.
4.4. AREA DEPENDENT EVENT EVALUATION
There are many events for which area dependent evaluations are performed
for design basis external events (DBEEs) and for design extension external events
(DEEs). Three examples are security events (design basis threats and beyond
design basis threats), internal and external fires, and internal and external floods.
In the case of physical protection systems, security evaluations are based on
identifying vital areas and protecting those vital areas. A vital area is an area within
the protected area containing equipment, systems, devices or nuclear material, the
damage of which could directly or indirectly lead to unacceptable radiological
consequences. Depending on the safety philosophy of the nuclear power plant
(and the Member State), the set of vital areas could include all designated safety
systems or a subset of safety systems and equipment. The number of vital areas
and their extent depend on the physical protection philosophy of the Member
State. In some Member States, all safety related items are to be protected. This
translates into a small number of vital areas, but with very large areal extent (e.g.
an entire building might be defined as one vital area). Alternatively, a minimum
set of equipment may be a subset. This latter philosophy would be parallel to the
SMA approach to human induced external events.
In the case of fire and flood, location dependent evaluations are also
implemented and can be used to assess the survivability of a minimum subset
of SSCs. Location dependency is especially true when one assumes items in
a compartment fail when fire or flood engulf the compartment. In that case,
survivability is 100% dependent on location.
It is important to note that existing models and results can be used in the
development of the elements of the evaluation methodology. These models could
be probabilistic or deterministic (i.e. event or fault tree or success path based).
54
4.5. PERFORMANCE OF STRUCTURES, SYSTEMS AND COMPONENTS
4.5.1. Civil engineering structures
Civil engineering structures subjected to various levels of DBEEs and DEEs

are evaluated by techniques described in Ref.[2] (see Table 8, in Section 2.2.4,
for acceptance criteria for structures at the three levels).
4.5.2. Mechanical and electrical equipment
Important considerations regarding the evaluation of performance of

mechanical and electrical equipment in extreme loading environment are:
(a) To define the functions to be performed by the item of interest, in what time
frame and under what environmental conditions;
(b) To define the extreme loading environment to be imposed on the item of
interest (including amplitude and duration), for example direct heat/flame,
compartment temperature as a function of time, and mitigating factors that
are evaluated to be effective (e.g. the fire suppression system);
(c) To determine the support systems required for the item of interest to operate
as required (e.g. emergency power and room cooling);
(d) To determine the likelihood of the item of interest to fulfil the required
function by using engineering evaluations (e.g. test data, analyses and
computer simulations);
(e) To transmit this information to the systems modelling discipline[3].
4.5.3. Piping, cabling, instrumentation and control, and service lines
Distribution systems are the life blood of the front line and supporting
systems. Distribution systems are best evaluated by a combination of analytical
tools and in-plant evaluations. The most significant vulnerabilities to piping,
cabling, instrumentation and control, and heating, ventilation and air-conditioning
systems are due to direct effects, such as explosions, mechanical impacts (aircraft
crashes), fire and flood. In addition, indirect failures, such as structure elements
failing, falling or otherwise damaging the distribution system, are important.
It is extremely important to identify the required functions to be performed
by the distribution system of interest when subjected to an event and the
subsequent hazard and effect. This is especially true for instrumentation and
control systems. Generally, instrumentation and control systems are more
vulnerable than other distribution systems, which are typically rugged when
55
subjected to extreme loading conditions. Consequently, required instrumentation
and control systems need to be carefully considered in all areas of the evaluation.
It is difficult to evaluate these potential failure modes only from drawings
without an in-plant evaluation. For existing nuclear power plants, in-plant
evaluations are to be performed. For new nuclear power plants, in-plant
evaluations can be performed at system turnover.
4.6. PLANT PERFORMANCE EVALUATION
The three fundamental safety functions to be maintained for human

induced external events imposed on the nuclear reactor are control of reactivity,
fuel cooling and confinement of radioactive material. To achieve these safety
functions, front line and support systems are required to perform their functions.
As part of the front line and support systems, essential monitoring and control
capabilities may be required.
In the light of the Fukushima Daiichi accident, some Member States require
additional conditions to be met for the integrity of the spent fuel pool and for
spent fuel pool cooling. One Member State requires the following plant states
to be demonstrated to be achievable through design or verification for loading
conditions of extreme human induced external events:
Safe shutdown (DBEE, DEE 1 and DEE 2);

Containment function (DBEE and DEE 1);
Spent fuel pool integrity (DBEE and DEE 1);
Spent fuel pool cooling (DBEE, DEE 1 and DEE 2);
Ultimate heat sink (DBEE, DEE 1 and DEE 2).
In some Member States, successful performance is defined as[14]:
The reactor core remains cooled, or the containment remains intact.

Spent fuel cooling or spent fuel pool integrity is maintained.
Reference[3] examines these criteria and alternatives in detail. The

following sections explore the main aspects to be considered in the assessment of
performance of the safety functions.
4.6.1. Safe shutdown
Safe shutdown refers specifically to the nuclear reactor system and includes
hot or cold shutdown, prevention of recriticality and decay heat removal.
56
Verification of the ability of the nuclear power plant SSCs to shut down
the plant and to maintain it in a hot or cold shutdown state is the objective of
the safety assessment. Verification methods and acceptance criteria may be tiered
depending on the severity of the human induced external event.
Three operating states need to be considered: full power, low power and
outage. The most vulnerable state of operation is not known apriori, consequently
all states require evaluation or, as a minimum, consideration.
In addition to the evaluation of the reactor containment building, all
structures containing equipment necessary to prevent damage to fuel in the
reactor or the spent fuel pool will be identified for screening or evaluation.
Front line and support systems needed for safe (cold) shutdown of the reactor or
continued cooling of the spent fuel pool are identified.
4.6.2. Containment function
The containment function relies on maintaining the containment structures

integrity when subjected to the human induced events. This is essential if the
event has induced core damage (Level4 layer of defence in depth).
The first level of containment integrity is to ensure that direct damage to the
containment structure induced by the event is highly unlikely to occur. Assurance
is gained through evaluations of the structure capacity of the containment when
subjected to mechanical and other loading conditions owing to the event. The
containment structure is considered to maintain its structural integrity when it is
satisfactorily evaluated for the event under consideration by the methodologies
of Ref.[2] and the accompanying acceptance criteria.
In addition, the containments ultimate pressure capability, given a core
damage event, should not be exceeded before effective mitigation strategies
can be implemented. Effective mitigation strategies are those that, for a period
of time, provide sufficient cooling to the damaged core or containment to limit
temperature and pressure challenges below the ultimate pressure capability of the
containment. Generally, this means that front line and support systems needed to
ensure that these preventative actions are successfully achieved will be available
when under demand after the initial actions of the human induced external event.
The next level of containment evaluation is to ensure that, given a level of
fuel damage, the following occurs:
Prevention of hydrogen deflagration or hydrogen detonation (inerting,

recombiners or igniters), taking into account venting processes;
Prevention of overpressurization of the containment;
Prevention of recriticality;
Prevention of basemat melt-through.
57
In the PSA language, one can envision a high level OR gate: (reactivity
control and core cooling are maintained) OR (containment integrity is
uncompromised due to direct effects of the human induced external event AND
front line and support systems needed to maintain containment integrity operate
successfully).
4.6.3. Spent fuel pool integrity and cooling
As in the evaluation of the safe shutdown and the containment, two levels
of evaluation are required for the spent fuel: direct damage to the spent fuel pool
due to the event and indirect damage, as described in the following.
Direct damage is a direct consequence of the scenario, for example aircraft
impact on the fuel storage building, wall failure or a projectile penetrates the
outer wall and ruptures the spent fuel pool wall, thereby releasing water and
leading to the uncovering of the spent fuel elements.
Indirect damage is an indirect consequence of the scenario, for example
the spent fuel pool stays intact but the spent fuel pool cooling relies on a series
of front line and support systems (some identical to those required for the reactor
cooling) and these systems fail. The cooling function cannot be achieved, the
water boils off, the spent fuel rods eventually become uncovered and radioactive
material is released.
The evaluation process remains the same as for ensuring reactivity control,
cooling of the core, and reactivity confinement. The engineering safety evaluation
methodologies of Refs[2,3] apply directly.
4.6.4. Ultimate heat sink availability
The ultimate heat sink (UHS) is a medium to which the residual heat from
the reactor is transferred. In some cases, the nuclear power plant has a primary
UHS, such as the sea or a river, and a secondary UHS, such as another water
source or the atmosphere. In the engineering safety evaluation, it is important to
recognize multiple UHSs and their characteristics (i.e. location, form, reliance on
front line and support systems). The redundancy offered by a secondary UHS is
important, since in many cases the primary UHS and its systems may not be well
protected from an extreme human induced external event. Emergency measures,
such as FLEX, may provide the means for an alternative UHS.
58
4.7. ASSESSMENT OF EXTERNAL PLANT CONDITIONS
External plant conditions are conditions which exist in the surrounding

areas of the nuclear power plant that may be a help in, or a hindrance to,
preventing the consequences of the human induced external event. Typical
conditions that would be helpful in preventing a human induced external event
from having a significant effect on the nuclear power plant and the surrounding
area are administrative controls on potential sources of these events implemented
by Member States:
Buffer zones in the air, land and water, for example maintaining hazardous
material boundaries outside the plant boundary and so preventing land or
water vehicles from entering areas where explosions or hazardous material
releases could affect the nuclear power plant;
Maintaining no-fly zones around the nuclear power plant;
Maintaining a buffer zone of no combustibles on the land around the plant
boundary.
A typical condition that would be a hindrance to preventing a human

induced external event from having a significant effect on the nuclear power
plant and the surrounding area is high population density in the vicinity of the
nuclear power plant.
4.8. ACCEPTANCE CRITERIA
As introduced in Section2.2.4, Phase4 of the overall methodology deals

with acceptance criteria, which may be in the form of end metrics:
(a) Risk oriented, for example core damage frequency, large early release
frequency, total effective dose equivalent to personnel and total effective
dose equivalent to the public.
(b) Capacity oriented, for example conservative containment capacity when
subjected to specified aircraft impact loads, best estimate capacity (only
slightly conservatively biased). Table 8, in Section2.2.4, presents an
example of these acceptance criteria for SSCs.
59
Acceptance criteria may expand on to the SSC level:
Systems requirements: The number of safety trains to be protected or

demonstrated to be available, including capacities of SEL items in the
safety trains. Section2.3 provides commentary on this subject.
SSC capacity values: Treating the loading environment as best estimate and
the resistance of SSC in the same manner, or conservatively defining the
loading environment and conservatively defining the systems acceptance
criteria, for example demonstrate one or two trains of safety systems to be
verified to perform (redundancy).
IAEA publications introduce the tiered approach to defining safety

assessment methodologies and acceptance criteria[2,3]. For example, the
consequences of less severe events (i.e. more frequent events) on the nuclear
power plant of interest need to meet more stringent acceptance criteria than
those of the most severe events (i.e. rare or less frequent events). For less severe
events, requirements include redundant success paths to arrive at safe shutdown
and conservatism in defining both the environmental loading functions and
the performance criteria of SSCs essentially elastic material behaviour for
structures, components and equipment, and distribution systems. For the most
severe hazards, verifying a single success path to safe shutdown using realistic
analyses may be acceptable. Table 8, in Section2.2.4, suggests one approach
where systems requirements tier down depending on the event severity level.
References[2,3] follow this approach when discussing system and structure
capacity acceptance criteria.
4.9. EVALUATION PROCEDURE
In summary, the general procedure for plant specific evaluation consists of:
(a) Event and load characterization: This is the input to the plant specific
evaluation, originating from Phases1 and 2 (see Section3).
(b) Systems analysis: Depending on the selected approach (SMA or PSA),
success paths or failure paths are identified for each event given as input
(see Section4.2).
(c) SEL: Using the results of the systems analysis and the area review, a list
of SSCs required to perform the selected safety functions under the plant
conditions generated by the considered events is compiled for capacity
assessment (see Section4.3).
60
(d) Area dependent event evaluation: Areas of influence corresponding to the
events are assessed in order to identify the portions of the plant at which
SSCs will likely not be available to perform their intended safety functions
(see Section4.4).
(e) Assessment of SSCs: Performance of selected SSCs for the loading
conditions given as input is assessed (see Section4.5). As a result of the
assessment, SSCs not able to perform their intended safety functions are
identified.
(f) Assessment of plant performance: Using the results of the systems analysis
and the assessment of SSCs carried out in the previous step, the overall
performance of the plant to keep the fundamental safety functions under the
external events is assessed (see Section4.6).
(g) Acceptability of plant performance: Plant performance is assessed against
the acceptance criteria in the Member State (see Section 4.8). This is
already Phase4 of the overall evaluation (see Section2.2).
A very important element to emphasize is that the evaluation of safety

against human induced external events is very much a multidisciplinary activity. It
involves specialists with expertise in safety engineering, operations, engineering
(e.g. civil, structural, mechanical, electrical, instrumentation and control, and
geotechnical) and emergency response. The interaction of these disciplines is
essential to obtaining a holistic approach to dealing with design extension human
induced external events.
5. DESIGN OF NEW PLANTS
5.1. DESIGN PROCESS
For new nuclear power plants, it is essential to consider human induced

external events during the design process, taking into account lessons learned
from evaluations of existing nuclear power plant SSCs. Future nuclear power
plants are being designed for operating lives up to 60years. It is prudent to verify
that new designs have the capacity to resist various human induced external
events and, if necessary, provide additional design features to ensure that the
capacity exists.
61
The general design process is shown in Fig.3 and includes important
elements such as the following:
(a) Safety goals in terms of metrics such as core damage frequency, large
release frequency and dose limits to the public are applicable in numerous
Member States. Member States set the specific target values for these safety
goals through law. In general, they are applicable to accidental human
induced external events. For non-accidental human induced events, some
Member States have specific acceptance criteria.
(b) Three fundamental safety functions are defined as: (i) the control
of reactivity; (ii) the removal of the heat from the core; and (iii) the
containment of radioactive material. In some Member States, these three
safety functions are further broken down, in particular item(ii).
(c) Member States define and specify deterministic and probabilistic success
criteria. Both deterministic and probabilistic success criteria are utilized in
the implementation of the defence in depth principles as shown.
(d) The defence in depth concept belongs to the nuclear safety fundamentals.
The layers of defence in depth may be intrinsic or extrinsic, on-site or
off-site. Some layers of defence in depth are related to prevention and
others to mitigation.
The general aspects of siting and design make a very important contribution
to the protection of nuclear power plants against human induced external events.
For new nuclear power plants, generally two stages of design development exist:
standard or reference design (e.g. in the United States of America, Certified
Designs are licensed); and site specific issues once a site is selected.
DEEs may not be available for a new design. It is then necessary to perform
the analysis using a generic DEE (site and state independent). It is also possible to
use events that are beyond a design level in order to attain graded protection. This
will serve the purpose of designing the facility to some level of human induced
external event. After the site is selected and the DEEs are known, it is necessary
to complement the design with extrinsic measures so that all the human induced
events scenarios that can be generated are addressed.
5.2. HUMAN INDUCED EVENT: AGNOSTIC DESIGN
The details of human induced events to be considered in current designs

are specified and available. However, considering the expected operating life
of new nuclear power plants to be 60 years, it is prudent to think beyond the
current environment of possible events. Larger and larger aircraft are being
62
SAFETY OBJECTIVES
General Nuclear Safety Objective
Radiation Protection Objective
Technical Safety Objective
SAFETY GOAL
F
FUNDAMENTAL SAFETY FUNCTIONS

Confinement of radioactive material
Control of reactivity
Removal of the heat from the core
IMPLEMENTATION OF
DEFENCE IN DEPTH
PROBABILISTIC Level 1 (Prevention) DETERMINISTIC
SUCCESS CRITERIA Level 2 (Control) SUCCESS CRITERIA
Level 3 (Accidents Cond.)
Level 4 (Severe Plant Cond.)
Level 5 (Off-Site Mitigat.)
DEVELOPMENT OF
SAFETY REQUIREMENTS
SAFETY
REQUIREMENTS
FIG.3. Flow chart for design requirements.
designed, built and put into operation. Transportation routes, pipelines and other
infrastructure are anticipated to change during the life of the nuclear power plant.
Relying strictly on administrative control to prevent such hazards from impacting
new nuclear power plants may be unreasonable. A philosophy of design and
evaluation of defining a set of human induced event agnostic scenarios and
treating those as generally enveloping anticipated future defined human induced
events is prudent.
One such enveloping case is aircraft crashes, which includes impact
loading conditions of global response, local response, and vibration effects
and fire effects. Hence, larger aircraft than the existing fleet could be specified
by the Member State for one DEE. These specific phenomena are treated in
63
Ref.[2]. In addition, there may be other human induced events that are defined
(or need to be defined) that encompass currently identified human induced events
or hypothesized future events. It is recognized that some Member States are
implementing this process or philosophy. Implementing this process will provide
decision makers information on the capacity of newly defined environmental
loading conditions in the decades to come while existing and new nuclear power
plants are in operation.
An additional consideration that falls into the category of human induced
event agnostic design is the evaluation of the nuclear power plant for extreme
external events without consideration for how the following states could arise:
Station blackout (i.e. the loss of on-site normal power, off-site power or
emergency power);
Loss of UHS (e.g. the loss of primary UHS);
Simultaneous station blackout and loss of UHS.
5.3. REDUNDANCY, DIVERSITY AND SEPARATION
Redundancy, diversity and separation have been introduced into the

design concept for most new nuclear power plant designs. New nuclear power
plant designs are required to have redundant systems to provide front line or
supporting functions, and the reactor vendors take the opportunity of a new
design to introduce diversity and separation into system design. Diversity in
systems and components is introduced for a number of reasons, one of which
is to avoid correlation of failure of identical systems and components located
in near identical locations. Correlation of failure of redundant systems due to
their identical nature may defeat one of the important attributes of redundancy;
that is, no safety improvement gained for particular initiating events, for example
common cause events, such as earthquakes. Identical components residing close
to each other so that they receive the same seismic input are identically aligned,
with the same supports and anchorage that will likely have correlated failure
modes. If there were four emergency diesel generators, one required for each
train, and one train required for system success, correlated failures would assume
that if one generator fails, they all fail.
The concept of separation is also very important for design implementation,
especially for dealing with human induced events that have a large area of
influence. An example of the consequences of lack of separation is four pumps
providing water to the component cooling water system. All four pumps are
located in the intake structure. In a fire initiated following an aircraft crash and
fuel fire: if one pump fails, they all fail.
64
5.4. LAYOUT
Layout is particularly effective in minimizing the consequences of human

induced external events. Sections2 and 3 discuss zones of influence and damage
footprints, which take into account the advantages of layout in preventing a
single human induced event from disabling multiple SSCs.
5.5. DESIGN OF STRUCTURES, SYSTEMS AND COMPONENTS
Perhaps the most important issue for new nuclear power plant designs is
the implementation of shielding structures that shield the reactor containment
building (and in some cases other structures important to safety) from damage
due to extreme external events, such as an aircraft crash. The majority of
these shielding structures are designed to preclude phenomena associated with
aircraft crashes (i.e. overall and local structure failure), which then precludes the
possibility of a jet fuel fire being initiated inside the safety related structures.
Often, a gap exists between the shielding structure and the safety related structure
to provide additional defence in depth for impact, vibration and fire loading
conditions.
Although these shielding structures are designed specifically for aircraft
crashes, they are also effective against other loading conditions, such as large
explosions.
5.6. DESIGN CAPACITY OF PLANT
Throughout the world, DEEs of human induced origin, such as the impact
of a large commercial aircraft on a nuclear power plant, are being taken into
account in the design process. In the light of the Fukushima Daiichi accident,
human induced event agnostic design scenarios are also being evaluated for all
new designs. Thus, there is high confidence that many extreme human induced
external event scenarios are being taken into account in the design of new nuclear
power plants.
65
6. SAFETY EVALUATION OF EXISTING PLANTS
The methodologies for existing and for new nuclear power plants are
basically the same. The differences are that new plants have a focus on explicitly
considering some human induced events in the design process events that
may not have been recognized at the time of the design of existing plants. In
other words, DEEs are considered in the design process for new plants, whereas
beyond design external events were not taken into account in the design process
of most existing plants (see Fig.1, in Section1.5).
There are distinct differences between the evaluation of existing plants for
beyond design external events and the design of new plants when subjected to
DEEs. The obvious difference is that the physical existence of the existing plant
limits the physical modifications that can be implemented easily or at all. Hence,
management of human induced event scenarios for existing plants will rely on
the robustness of the existing designs, relatively small physical modifications
(if deemed necessary and cost effective), operational or procedural changes, and
emergency management (e.g. FLEX and EMEG). Detailed evaluation procedures
are contained in Refs[2,3].
7. MANAGEMENT OF THE ASSESSMENT
Member State regulatory authorities need to provide operators at the outset

with the criteria to be used in the assessments. At the same time, they need to
agree to a timescale for the conduct of the assessment and for reporting back
the conclusions and recommended actions. The regulatory authorities may
undertake their own prioritization of the programme for the total number of
nuclear power plants and operators under their responsibility. That prioritization
may be influenced by factors such as national information, source terms and
release fraction estimates, and potential effects on the public (dispersion and
concentration of radioactive materials). Similarly, the effects of reported incidents,
in particular major events (e.g. the chemical plant explosion in Toulouse, France,
the events of the 11September2001 and the Fukushima Daiichi accident), can
influence scheduling and prioritization.
66
Peer review is highly desirable. As discussed throughout this publication
and in Refs[2,3], assessment of the effects of human induced external events is
a multidisciplinary activity with highly specialized elements, perhaps requiring
experts in the field to perform the work. Consequently, peer review by other
experts in these areas is required. Records retention needs to be robust to enable
future retrieval when new human induced events may be postulated.
67
REFERENCES
[1] EUROPEAN ATOMIC ENERGY COMMUNITY, FOOD AND AGRICULTURE

ORGANIZATION OF THE UNITED NATIONS, INTERNATIONAL ATOMIC
ENERGY AGENCY, INTERNATIONAL LABOUR ORGANIZATION,
INTERNATIONAL MARITIME ORGANIZATION, OECD NUCLEAR ENERGY
AGENCY, PAN AMERICAN HEALTH ORGANIZATION, UNITED NATIONS
ENVIRONMENT PROGRAMME, WORLD HEALTH ORGANIZATION,
Fundamental Safety Principles, IAEA Safety Standards Series No.SF-1, IAEA,
Vienna(2006).
[2] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety Aspects of Nuclear Power
Plants in Human Induced External Events: Assessment of Structures, Safety Reports
Series No.87, IAEA, Vienna(in preparation).
[3] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety Aspects of Nuclear Power
Plants in Human Induced External Events: Margin Assessment, Safety Reports Series
No.88, IAEA, Vienna(2017).
[4] INTERNATIONAL ATOMIC ENERGY AGENCY, Site Evaluation for Nuclear
Installations, IAEA Safety Standards Series No.NS-R-3(Rev.1), IAEA, Vienna(2016).
[5] INTERNATIONAL ATOMIC ENERGY AGENCY, Human Induced External Events in
Site Evaluation for Nuclear Power Plants, IAEA Safety Standards Series No.NS-G-3.1,
IAEA, Vienna(2002).
[6] NUCLEAR ENERGY INSTITUTE, Diverse and Flexible Coping Strategies (FLEX)
Implementation Guide, NEI12-06, Rev.0, NEI, Washington, DC (2012).
[7] NUCLEAR ENERGY INSTITUTE, B.5.b Phase 2 & 3 Submittal Guideline, NEI06-12,
Rev.2, NEI, Washington,DC(2006).
[8] INTERNATIONAL NUCLEAR SAFETY ADVISORY GROUP, Defence in Depth in
Nuclear Safety, INSAG-10, IAEA, Vienna(1996).
[9] CANADIAN NUCLEAR SAFETY COMMISSION, Design of Reactor Facilities:
Nuclear Power Plants, REGDOC-2.5.2, CNSC, Ottawa(2014).
[10] NUCLEAR REGULATORY COMMISSION, Compliance with Order EA-12-049,
Order Modifying Licenses with Regard to Requirements for Mitigation Strategies for
Beyond-Design-Basis External Events, JLD-ISG-2012-01, Rev.0, NRC, Washington,
DC(2012).
[11] AMERICAN SOCIETY OF MECHANICAL ENGINEERS, Standard for Level 1
Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plant
Applications, ASME/ANSRA-S-2008, ASME, New York(2009).
[12] AMERICAN SOCIETY OF CIVIL ENGINEERS, The Pentagon Building Performance
Report, ASCE, Reston, VA(2003).
[13] FEDERAL EMERGENCY MANAGEMENT AGENCY, World Trade Center Building
Performance Study: Data Collection, Preliminary Observations, and Recommendations,
FEMA403, FEMA, NewYork(2002).
[14] NUCLEAR ENERGY INSTITUTE, Methodology for Performing Aircraft Impact
Assessment for New Plant Designs, NEI07-13, Rev.8P, NEI, Washington,DC(2011).
69
Annex
DEVELOPMENT OF THE EXTREME LOADING

DEFINITION MATRICES: THREE EXAMPLES
A1. INTRODUCTION
In this annex, representative load cases are defined following the format of
Section3. The objective is to acquaint the analyst on the type of information to be
provided, recognizing that it may need to be expanded when the actual analysis is
performed. Three examples pertaining to extreme human induced external events
are presented: aircraft crash, hazardous chemical release and blast.
Section3 introduced the load definition matrices as examples of the types
of input and response expected to be produced by the engineering staff. These
extreme loading definition matrices can be thought of in three categories:
(a) Level 1: Extreme Environment1 Matrix provides the correlation between

the human induced external event and the loading conditions.
(b) Level 2: Parameter Definition Matrices:
Impact Parameter Definition Matrix;
Explosion/Blast Parameter Definition Matrix;
Heat/Fire Parameter Definition Matrix;
Hazardous Material Release Definition Matrix.
(c) Level 3: Extreme Loading Matrix.
Examples are presented here to further clarify these concepts.

Reference[A2] presents very detailed assessments. The examples presented here
are only for familiarization with the issues. The example Extreme Environment
Matrix for a nuclear power plant subjected to three human induced external event
scenarios is given in Table A1.
1
For consistency with other IAEA publications(see Ref.[A1]), the term environment
is used in this publication in reference to the set of concurrent loads associated with a single
event. Hence, reference is made to extreme environments such as aircraft crash environment
or pipeline blast environment.
71
72
TABLE A1. EXTREME ENVIRONMENT MATRIX
Hazardous
Scenario No. Scenario description Impact Blast Heat/fire Smothering Flooding Other
materials release
Crash of a large passenger

aircraft with a fully 1, 2, 3 1, 2
1 No No No No No
fuelled fuselage into a (Table A2) (Table A3)
nuclear power plant
1
2 Chlorine release No No No No No No
(Table A6)
1 3, 4 2, 3
3 Blast pipeline No No No Debris
Note: Numbers under the physical loading conditions columns are explained in the specific table in parentheses.
A2. PARAMETER DEFINITION AND LOADING CONDITIONS FOR
AIRCRAFT CRASH (SCENARIO 1)
Human induced external event scenario 1 is defined as the accidental

crash of a large passenger aircraft into a nuclear power plant site. The loading
conditions are: aircraft impact on nuclear power plant structures, jet fuel fire
in buildings if perforation occurs, and aircraft crash induced vibration on all
buildings potentially impacted by the aircraft.
This is intended to be a realistic example, but, of course, the specifics
for a site depend greatly on the local conditions. In this hypothesized case, a
large passenger aircraft is considered and the site is assumed to be such that
the impact velocity of 110m/s is realistic, given the topography of the site and
other considerations. TablesA2 and A3 provide the impact parameters and the
heat/fire parameters, respectively, corresponding to this scenario.
Vibration loading conditions are described in TableA4. The analysis to be
performed is assumed to account for the flexible and non-linear behaviour of the
buildings of interest. It should be noted that this vibration loading condition was
only associated with the fuselage impact. A separate vibration loading condition
could have been specified for the engine or debris loads, if deemed appropriate.
Finally, Table A5 itemizes the loading conditions to be considered for the
buildings on the nuclear power plant site being evaluated. Load combinations
are as shown unless it can be demonstrated that it is unrealistic to consider the
indicated loads simultaneously.

CHLORINE RELEASE (SCENARIO 2)
Human induced external event scenario 2 is that of the accidental release

of 10 tonnes of chlorine gas from a truck. The truck is able to reach within
200 m of the plant boundary and release the entire inventory of 10 tonnes.
Detailed dispersion modelling could be used for this and other more severe cases
of chlorine release. For example, a rail car of 90 tonnes of chlorine could be
accidentally derailed, releasing the inventory of one or more rail cars transporting
chlorine. Modelling of the dispersion is a key component of the assessment. Table
A6 gives general information on the release. Table A7 lists structures to be
evaluated. Of course, this information needs to be supplemented with the details.
73
74
TABLE A2. IMPACT PARAMETER DEFINITION MATRIX: SCENARIO 1
Missile Shape/ Impact velocity Relative

Description Mass (kg) Impact angle Fire Explosion Vibration Other
type/No. configuration (m/s) hardness
Crash of a large
passenger aircraft
Fuselage 310 to 1
1 with a fully fuelled 396 900 110 Flexible No No No
40 m2/52 m2 horizontal (Table A4)
fuselage into a
nuclear power plant
Large passenger Circular body

310 to
2 aircraft engines as 4 300 2.7 m fan 110 Semi-rigid No No No No
horizontal
projectiles diameter
310 to
3 Debris 5 000 Rigid body 110 Rigid No No No No
horizontal
TABLE A3. HEAT/FIRE PARAMETER DEFINITION MATRIX: SCENARIO 1
Heat Burn Burn

Fire Combustible/ Quantitya Spreading Building/ Quantity Ignition
Description potential/ duration Other Type duration
No. ignition (L) surface yard (L) likelihood
temp. (C) (h) (h)
Jet fuel fire

Half
from a large Inside
1 Yes 216 000 surface of 1 200 <1 No 1 500 Kerosene Yes 1.5
passenger outer shell
outer shell
aircraft
Horizontal
crash of
a large
passenger
aircraft,
2 with a fully Yes 216 000 60 m 500 m 1 200 18 No No No Kerosene No No
fuelled
fuselage, on
the yard of
a nuclear
power plant
a
50% is considered to be consumed in a fire ball, 50% as pool fire.
75
76
TABLE A4. VIBRATION PARAMETER DEFINITION SCENARIO 1
LOADING FUNCTIONS
Loading function time histories

Vibration loading
Load application (buildings) Location: elevation
condition No.
Rigid target Flexible target Flexible/non-linear target
1 Reactor building All Yes
Emergency cooling water

2 All Yes
building
3 Diesel generator building All Yes

TABLE A5. EXTREME LOADING MATRIX: SCENARIO 1
Engineering Hazardous
Plant area Impact Blast Heat/fire Smothering Flooding Other
load description materials release
1, 2, 3 1 1
Reactor building Aircraft crash No Yes Yes Vibration
1, 2, 3 1 1
Emergency cooling water building Aircraft crash No Yes Yes Vibration
1, 2, 3 1 1
Pump house Aircraft crash No No Yes Vibration
1, 2, 3 1 1
Diesel generator building Aircraft crash No Yes Yes Vibration
2 2
Cooling water pipelines Aircraft crash No No No No No
(Table A3) (Table A3)
77
78
TABLE A6. HAZARDOUS MATERIAL RELEASE DEFINITION MATRIX: SCENARIO 2
Material Smothering effect Smothering effect Lethal or disabling

Case No. Quantity (t) Duration Penetration extent Other
description (personnel) (components) effect (personnel)
Multiple High through

1 Chlorine 10 Yes Yes High No
hours HVAC systems
Note: HVAC heating, ventilation and air-conditioning.

Engineering
Hazardous materials
Plant area environmental load Impact Blast Heat/fire Smothering Flooding Other
release
description
1
Reactor building Hazardous material
(Table A6)
Emergency cooling 1
Hazardous material
water building (Table A6)
1
Pump house Hazardous material
(Table A6)
Diesel generator 1
Hazardous material
building (Table A6)
1
Cooling water pipeline Hazardous material
(Table A6)
79
GAS PIPELINE EXPLOSION (SCENARIO 3)
Human induced external event scenario 3 is defined in Tables A8 to

A11. The event is characterized by an accidental gas pipeline explosion.
The gas pipeline is located a distance of 280 m from the closest safety related
structure of the nuclear power plant. The gas in the pipeline is methane (CH4)
and liquefied under pressure. The total amount of gas potentially ejected before
isolation of the pipeline up stream of the break location is 19900kg. The volume
of the gas cloud (airgas mixture volume) that could lead to the explosion is
estimated at 338000m3. The assumed relative flame front propagation is 0.3.
Characteristics of the blast are calculated based on the multi-energy method
described in Ref.[A2].
REFERENCES TO THE ANNEX
[A1] INTERNATIONAL ATOMIC ENERGY AGENCY, Engineering Safety Aspects of

the Protection of Nuclear Power Plants against Sabotage, IAEA Nuclear Security
Series No.4, IAEA, Vienna(2007).
[A2] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety Aspects of Nuclear Power
Plants in Human Induced External Events: Assessment of Structures, Safety Reports
Series No.87, IAEA, Vienna(in preparation).
80
TABLE A8. HEAT/FIRE PARAMETER DEFINITION MATRIX: SCENARIO 3
Burn
Combustible/ Heat Building/ Ignition Burn
Fire No. Description Quantity duration Other Quantity Type
ignition potential/temp. yard likelihood duration
(min)
80100% of
CH4 and other ejected gas 8001000C
3 Fire ball <5
hydrocarbons before break inside fire ball
isolation
Laminar
burning after Long due
25% of Transportation
suction into CH4 and other 8001000C to potential
4 ejected gas and ignition
building via hydrocarbons inside fire plume internal fire
volume likelihood low
ventilation loads
system
81
82
TABLE A9. HAZARDOUS MATERIAL RELEASE DEFINITION MATRIX: SCENARIO 3
Lethal or
Material Smothering effect Smothering effect Penetration
Case No. Quantity disabling effect Duration Other
description (personnel) (components) extent
(personnel)
Short term
ca. 50% of Via ventilation
depending
2 CO, CO2 stechiometric No No Yes system into main No
on weather
equilibrium control room
conditions
Burnable
CH4, air mixture ca. 80% of
3 No No No No No inside
(late ignition case) released
building
TABLE A10. EXPLOSION/BLAST PARAMETER DEFINITION MATRIX: SCENARIO 3
PRESSURE PULSE
Flammable Explosion Blast strength Reference Peak side on Blast wave Positive phase
Explosion No.
mask (kg) energy (MJ) (multi-energy method) distance (m) pressure (kPa) shape duration (ms)
1 19 900 1 183 000 7 280 31 B to A 212
Note: The multi-energy method described in Ref. [A2] is used.

Engineering environmental Hazardous

Plant area Impact Blast Heat/fire Smothering Flooding Other
load description materials release
3, 4 2, 3
Reactor building Gas pipeline
3, 4 2, 3
Emergency cooling water building Gas pipeline
3, 4 2, 3
Pump house Gas pipeline
3, 4 2, 3
Diesel generator building Gas pipeline
3, 4
Cooling water pipelines Gas pipeline
(Table A8)
83
ABBREVIATIONS
DBEE design basis external event
DEE design extension external event
EMEG emergency management equipment guidance
FLEX diverse and flexible coping strategies
PSA probabilistic safety assessment
SEL selected equipment list
SMA safety margin assessment
SSCs structures, systems and components
UHS ultimate heat sink
85
CONTRIBUTORS TO DRAFTING AND REVIEW
Altinyollar, A. International Atomic Energy Agency
Basu, P. International Atomic Energy Agency
Beltran, F. International Atomic Energy Agency
Blahoianu, A. Canadian Nuclear Safety Commission, Canada
Henkel, F.-O. Wlfel Beratende Ingenieure GmbH & Co. KG,

Germany
Iqbal, J. Pakistan Atomic Energy Commission, Pakistan
Johnson, J.J. James J. Johnson & Associates,

United States of America
Kennedy, R.P. RPK Structural Mechanics Consulting,

United States of America
Markovic, D. lectricit de France, France
Morita, S. International Atomic Energy Agency
Orbovic, N. Canadian Nuclear Safety Commission, Canada
Pino, G. ITER Consult, Italy
Pisharady, A. Atomic Energy Regulatory Board, India
Rangelow, P. AREVA, Germany
Ravindra, M.K. M.K. Ravindra Consulting, United States of America
Ricciuti, R. Candu Energy, Canada
Saarenheimo, A. VTT Technical Research Centre of Finland Ltd,

Finland
Samaddar, S.K. International Atomic Energy Agency
Vlikangas, P. Radiation and Nuclear Safety Authority, Finland
87
Varpasuo, P. Fortum Nuclear Services, Finland
Vayssier, G. NSC, Netherlands
Consultants Meetings
Ottawa, Canada: 2829 March 2011; 1014 September 2012

Vienna, Austria: 47 October 2011; 1214 November 2012, 1721 December 2012;
31 January 1 February 2013, 1115 November 2013
88
@ No. 24
ORDERING LOCALLY
In the following countries, IAEA priced publications may be purchased from the sources listed below or
from major local booksellers.
Orders for unpriced publications should be made directly to the IAEA. The contact details are given at
the end of this list.
BELGIUM
Jean de Lannoy
Avenue du Roi 202, 1190 Brussels, BELGIUM
Telephone: +32 2 5384 308 Fax: +32 2 5380 841
Email: jean.de.lannoy@euronet.be Web site: http://www.jean-de-lannoy.be
CANADA
Renouf Publishing Co. Ltd.
22-1010 Polytek Street, Ottawa, ON K1J 9J1, CANADA
Telephone: +1 613 745 2665 Fax: +1 643 745 7660
Email: order@renoufbooks.com Web site: http://www.renoufbooks.com
Bernan Associates
4501 Forbes Blvd., Suite 200, Lanham, MD 20706-4391, USA
Telephone: +1 800 865 3457 Fax: +1 800 865 3450
Email: orders@bernan.com Web site: http://www.bernan.com
CZECH REPUBLIC
Suweco CZ, s.r.o.
SESTUPN 153/11, 162 00 Prague 6, CZECH REPUBLIC
Telephone: +420 242 459 205 Fax: +420 284 821 646
Email: nakup@suweco.cz Web site: http://www.suweco.cz
FRANCE
Form-Edit
5 rue Janssen, PO Box 25, 75921 Paris CEDEX, FRANCE
Telephone: +33 1 42 01 49 49 Fax: +33 1 42 01 90 90
Email: fabien.boucard@formedit.fr Web site: http://www.formedit.fr
Lavoisier SAS
14 rue de Provigny, 94236 Cachan CEDEX, FRANCE
Telephone: +33 1 47 40 67 00 Fax: +33 1 47 40 67 02
Email: livres@lavoisier.fr Web site: http://www.lavoisier.fr
LAppel du livre
99 rue de Charonne, 75011 Paris, FRANCE
Telephone: +33 1 43 07 43 43 Fax: +33 1 43 07 50 80
Email: livres@appeldulivre.fr Web site: http://www.appeldulivre.fr
GERMANY
Goethe Buchhandlung Teubig GmbH
Schweitzer Fachinformationen
Willsttterstrasse 15, 40549 Dsseldorf, GERMANY
Telephone: +49 (0) 211 49 874 015 Fax: +49 (0) 211 49 874 28
Email: kundenbetreuung.goethe@schweitzer-online.de Web site: http://www.goethebuch.de
HUNGARY
Librotrade Ltd., Book Import
Pesti ut 237. 1173 Budapest, HUNGARY
Telephone: +36 1 254-0-269 Fax: +36 1 254-0-274
Email: books@librotrade.hu Web site: http://www.librotrade.hu
INDIA
Allied Publishers
1st Floor, Dubash House, 15, J.N. Heredi Marg, Ballard Estate, Mumbai 400001, INDIA
Telephone: +91 22 4212 6930/31/69 Fax: +91 22 2261 7928
Email: alliedpl@vsnl.com Web site: http://www.alliedpublishers.com
Bookwell
3/79 Nirankari, Delhi 110009, INDIA
Telephone: +91 11 2760 1283/4536
Email: bkwell@nde.vsnl.net.in Web site: http://www.bookwellindia.com
ITALY
Libreria Scientifica AEIOU
Via Vincenzo Maria Coronelli 6, 20146 Milan, ITALY
Telephone: +39 02 48 95 45 52 Fax: +39 02 48 95 45 48
Email: info@libreriaaeiou.eu Web site: http://www.libreriaaeiou.eu
JAPAN
Maruzen-Yushodo Co., Ltd.
10-10, Yotsuyasakamachi, Shinjuku-ku, Tokyo 160-0002, JAPAN
Telephone: +81 3 4335 9312 Fax: +81 3 4335 9364
Email: bookimport@maruzen.co.jp Web site: http://maruzen.co.jp
RUSSIAN FEDERATION
Scientific and Engineering Centre for Nuclear and Radiation Safety
107140, Moscow, Malaya Krasnoselskaya st. 2/8, bld. 5, RUSSIAN FEDERATION
Telephone: +7 499 264 00 03 Fax: +7 499 264 28 59
Email: secnrs@secnrs.ru Web site: http://www.secnrs.ru
UNITED STATES OF AMERICA

Bernan Associates
4501 Forbes Blvd., Suite 200, Lanham, MD 20706-4391, USA
Telephone: +1 800 865 3457 Fax: +1 800 865 3450
Email: orders@bernan.com Web site: http://www.bernan.com
Renouf Publishing Co. Ltd.
812 Proctor Avenue, Ogdensburg, NY 13669-2205, USA
Telephone: +1 888 551 7470 Fax: +1 888 551 7471
Email: orders@renoufbooks.com Web site: http://www.renoufbooks.com
Orders for both priced and unpriced publications may be addressed directly to:
IAEA Publishing Section, Marketing and Sales Unit
International Atomic Energy Agency
Vienna International Centre, PO Box 100, 1400 Vienna, Austria
15-48591
Telephone: +43 1 2600 22529 or 22530 Fax: +43 1 2600 29302

Email: sales.publications@iaea.org Web site: http://www.iaea.org/books
R E L AT ED PUBL ICAT IONS
EXTERNAL EVENTS EXCLUDING EARTHQUAKES IN THE DESIGN OF

IAEA Safety Standards Series No. NS-G-1.5
STI/PUB/1159 (105 pp.; 2003)
ISBN 9201010990 Price: 27.00
EXTERNAL HUMAN INDUCED EVENTS IN SITE EVALUATION FOR

IAEA Safety Standards Series No. NS-G-3.1
STI/PUB/1126 (49 pp.; 2002)
ISBN 9201112025 Price: 14.50
SAFETY ASPECTS OF NUCLEAR POWER PLANTS IN HUMAN INDUCED

EXTERNAL EVENTS: MARGIN ASSESSMENT
Safety Reports Series No. 88
STI/PUB/1723 (102 pp.; 2017)
ISBN 9789201114150 Price: 42.00
www.iaea.org/books
This publication provides a general roadmap
f o r p e r f or m in g th e des ig n an d e v al uati on of the
p r o t e c tion of n u clear power pla nts agai nst human
induced external events, consistent with IAEA
s a f e t y s tan dar ds . I t f ocu s es on an ov eral l v i e w of
t h e m eth odolog y an d on im por tant consi derati ons
f o r i t s application to exis tin g and ne w nucl ear
p o we r plan ts . T h e pu blication al so prov i des an
a p p ro ach to th e as s es s m en t ag a i nst extreme human
in d u c e d exter n al e ven ts wh ich i s ful l y consi stent
with the methods used for the evaluation of
n u c l e ar f acilities s u bjected t o extreme natural
e ve n t s, s u ch as ear th qu akes and fl oods.
INTERNATIONAL ATOMIC ENERGY AGENCY

VIENNA
ISBN 9789201110152
ISSN 10206450

Nuclear Safety

Uploaded by

Copyright:

Available Formats

You might also like

Nuclear Safety

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Nuclear Safety

Uploaded by

Copyright:

Available Formats

Safety Reports Series

Safety Aspects of Nuclear

IAEA SAFETY STANDARDS

AFGHANISTAN GEORGIA OMAN

INTERNATIONAL ATOMIC ENERGY AGENCY

Marketing and Sales Unit, Publishing Section

Printed by the IAEA in Austria

IAEA Library Cataloguing in Publication Data

Many human actions pose challenges to the safe operation of a nuclear

2. ELEMENTS OF ENGINEERING SAFETY EVALUATIONS . . . . . 7

3. EVENT IDENTIFICATION AND LOAD

3.1. Screening of events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

4. PLANT SPECIFIC EVALUATION . . . . . . . . . . . . . . . . . . . . . . . . . . 52

4.1. Defence in depth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

5. DESIGN OF NEW PLANTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

5.1. Design process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

6. SAFETY EVALUATION OF EXISTING PLANTS . . . . . . . . . . . . . . 66

ANNEX: DEVELOPMENT OF THE EXTREME LOADING

IAEA Safety Standards Series No.SF-1, Fundamental Safety Principles[1],

Phase 1: Event identification;

The objective of this Safety Report is to provide the framework of methods

This Safety Report concentrates on the development of a methodology and

Section 2 provides an overview of the approach to engineering safety design

Any occurrence that is unintended by the operator of the nuclear facility,

Human induced external event

An event that is unconnected with the operation of the nuclear facility. In

Design basis external event

An external event explicitly taken into account in the design of a facility,

Beyond design basis external event

Design extension external event

An external event that is not considered as a DBEE, but that is considered in

Loading conditions for each external event are defined probabilistically or

Increasing Event Severity

Beyond design basis external event

External events either not included as a general design basis or included

General design basis

Structures, systems and components margin

A generic term defining the relative or absolute measure of a key

In the context of Ref.[3], the level of a hazard, generally beyond the

2. ELEMENTS OF ENGINEERING SAFETY

For the design or evaluation of nuclear facilities subjected to extreme

2.2. KEY ELEMENTS

As introduced in Section1.1, the engineering safety evaluation process is

Phase 1: Event identification;

2.2.1. Phase 1: Event identification

Phase 1 is the first and highest level of screening implemented in the

Facilities and transport Relevant features of

Oil refinery, chemical plant, Quantity and nature of Explosion

Military facilities Types of activities Projectile generation

Railway trains and wagons, Passage routes and Explosion

Facilities and transport Relevant features of

Airport zone Aircraft movements and Abnormal flights leading to

Air traffic corridors and Flight frequencies Abnormal flights leading to

Source: Table I of NS-G-3.1[5].

TABLE2. EVOLUTION OF EVENTS AND IMPACT ON THE NUCLEAR

Possible impact of each

Possible impact of each

Ground collapse Ground collapse (7) (8) (9)

Blockage or damage Interference with cooling (12)